[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 729
  • Last Modified:

Ampersand and percent sign removed from POSTed text field

I have a web page where a visitor types his password in a text form field, which is then POSTed to a perl program.  When the field arrives, if there was an ampersand "&" or percent sign "%" in the person's password, the password field is not accurately presented to the perl script.  I'm guessing that's related to how the percent sign is used to evaluate spaces and other characters in URIs.

Is there a way to get these characters to POST accurately, or do people just typically disallow the use of these characters when a user is selecting a password?
Thanks,
Steve D.
0
StevenMiles
Asked:
StevenMiles
3 Solutions
 
Suhas .QA ManagerCommented:
since & and % are special characters and you are storing the password as string,
its better to have a condition before storing the password,

search for & or % , replace with \& or \% globally.

The best option is not to use special characters for password in this case.
0
 
TintinCommented:
So long as you're correctly processing the CGI data, the % and & symbols will be recognised just fine.

Say your form field was called 'pass'

Then the following Perl/CGI code will display exactly what you typed in the field

#!/usr/bin/perl
use strict;
use CGI;
my $q = new CGI;
my $pass = $q->param('pass');
print $q->header('text/plain');
print "$pass\n";
0
 
ahoffmannCommented:
> Is there a way to get these characters to POST accurately,
the browser does that for you, it sends %25 for % and %26 for &
you simply need to url decode your parameters
(but take care that you also may get unexpected characters like %0d or %00 and many more, you need to implement a whitelist check also, but that's another story ...)
0
 
StevenMilesAuthor Commented:
Hi, all,
Tintin, your code worked exactly right.  I hadn't been using CGI, but rather doing the parsing myself, and I found some *strong* admonishments on the web to *not* do that, but rather use CGI for it.
And ahoffman, I shall also implement a whitelist for checking the input.  It took using CGI, at least for me, to get the input accurately.
However, there is another problem. If you would, please search for my name for another issue, closely related to this, that I'll be posting in about one minute!
--Steve
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now