Support for all characters in text boxes sent to CGI.

Posted on 2003-03-10
Medium Priority
Last Modified: 2013-12-25
I am creating a script to allow me to make updates to an online journal.  Not unlike a blog, but I'm anti other people's software (*pride*).  I've using SQL to store the info and it's working except for certain characters.

I'm using a textarea to type in, and after being submitted with an apostrophe it breaks.  Also, it loses the carrige returns.  How and when do I prepare for these situations?  It looks like there is some level of this happening now, but that is borrowed code so I don't fully understand what it does.

The part I don't fully understand is this:  $value[$i] =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;  And I have a feeling that this may be partly to blame for my issues.

This is what happens to the data now: (paraphrased)

     $i = 0;
     read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
     @pairs = split(/&/, $buffer);
     foreach $pair (@pairs)
          ($name[$i], $value[$i]) = split(/=/, $pair);

          $value[$i] =~ tr/+/ /;
          $value[$i] =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

          $name[$i] =~ tr/+/ /;
          $name[$i] =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;


$stuff = $value[2];

$SQL = "insert into $main_table(stuff) values('$stuff');";
$InsertRecord = $dbh->do($SQL);

# That gets the data from the form and sends it to my SQL table

# Then to recall it:

$SQL = "SELECT * FROM $main_table;";
$Select = $dbh->prepare($SQL);

while($Row = $Select->fetchrow_hashref)
     $stuff = $Row->{stuff};

print "Stuff: $stuff

I did just think about something...do I need to put it into an array instead of a variable?  Would that solve the carrige return issue?  I still have the aprostrophe issue though.

Thanks in advance.
Question by:archaic0
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 51

Accepted Solution

ahoffmann earned 800 total points
ID: 8118482
> .. after being submitted with an apostrophe it breaks.
your (posted) code is totally unsecure, in particular vulnerable for SQL-Injection and cross-site-scripting.
SQL Injection is happening here, cause you pass $stuff unfilterd to the SQL engine, which treats the ' as end of a value (and anythings else somehow, as command in worst case).

>  The part I don't fully understand is this:
this code does the URL-decoding, means converts the hex-coded characters back to ASCII-characters.

What to do?
  befor using any value (like $stuff), you need to parse it, and escape problematic characters.
  'cause you use $stuff in both, SQL and HTML, you have to do it twice.

  A simple, to be improved in many ways, check might be:

  $html = $sql = $stuff;
  $html =~ s/</$lt;/g; $html =~ s/>/$gt;/g; $html =~ s/&/$amp;/g; $html =~ s/"/$quot;/g;
  $sql  =~ s/'/''/g;
  $sql  =~ s/%//g;   # needed if $sql is used in a WHERE or LIKE clause
  Also do a:

  $pair =~ s/%00/d;  # before splitting into name, value

These are just some basic steps, you need to check input very carefully. I highly recommend to match against a positive list, like [a-zA-Z0-9_]* etc. but never against a negative list like [^%>&]*

Expert Comment

ID: 8122234

I agree with your solution but you got a few typos in this line:

$html =~ s/</$lt;/g; $html =~ s/>/$gt;/g; $html =~ s/&/$amp;/g; $html =~ s/"/$quot;/g;

...should be (ampersands instead of dollar signs):

$html =~ s/</&lt;/g; $html =~ s/>/&gt;/g; $html =~ s/&/&amp;/g; $html =~ s/"/&quot;/g;


LVL 51

Expert Comment

ID: 8128689
duuh, thanks for correction
 (typos wouldn't be harmfull, just the wrong display;-)
Certified OpenStack Administrator Course

We just refreshed our COA course based on the Newton exam.  With 14 labs, this course goes over the different OpenStack services that are part of the certification: Dashboard, Identity Service, Image Service, Networking, Compute, Object Storage, Block Storage, and Orchestration.


Author Comment

ID: 8131948
Thanks for the help guys.

Will doing all of that preserve carrage returns to be sent to SQL and display the carrige returns when I recall it?

(...and I'll be giving the points to ahoffmann unless chapatti has a problem with that.)


Expert Comment

ID: 8132044
oh, no problem at all!
She / he deserves them!

Author Comment

ID: 8246956
sorry it took so long...I lost track of my questions...
LVL 51

Expert Comment

ID: 8247137
you traced the track, somehow ...
Thanks for coming back and grading.

Author Comment

ID: 8802801

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get a (Blue Screen of Death), your system writes a small file called a minidump. Your first step is to make certain your computer is setup to record memory dumps. Right click My Computer, choose properties. Click on the advanced tab, an…
Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question