• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 732
  • Last Modified:

Ampersand and percent sign removed from POSTed text field

I have a web page where a visitor types his password in a text form field, which is then POSTed to a perl program.  When the field arrives, if there was an ampersand "&" or percent sign "%" in the person's password, the password field is not accurately presented to the perl script.  I'm guessing that's related to how the percent sign is used to evaluate spaces and other characters in URIs.

Is there a way to get these characters to POST accurately, or do people just typically disallow the use of these characters when a user is selecting a password?
Thanks,
Steve D.
0
StevenMiles
Asked:
StevenMiles
3 Solutions
 
Suhas .QA ManagerCommented:
since & and % are special characters and you are storing the password as string,
its better to have a condition before storing the password,

search for & or % , replace with \& or \% globally.

The best option is not to use special characters for password in this case.
0
 
TintinCommented:
So long as you're correctly processing the CGI data, the % and & symbols will be recognised just fine.

Say your form field was called 'pass'

Then the following Perl/CGI code will display exactly what you typed in the field

#!/usr/bin/perl
use strict;
use CGI;
my $q = new CGI;
my $pass = $q->param('pass');
print $q->header('text/plain');
print "$pass\n";
0
 
ahoffmannCommented:
> Is there a way to get these characters to POST accurately,
the browser does that for you, it sends %25 for % and %26 for &
you simply need to url decode your parameters
(but take care that you also may get unexpected characters like %0d or %00 and many more, you need to implement a whitelist check also, but that's another story ...)
0
 
StevenMilesAuthor Commented:
Hi, all,
Tintin, your code worked exactly right.  I hadn't been using CGI, but rather doing the parsing myself, and I found some *strong* admonishments on the web to *not* do that, but rather use CGI for it.
And ahoffman, I shall also implement a whitelist for checking the input.  It took using CGI, at least for me, to get the input accurately.
However, there is another problem. If you would, please search for my name for another issue, closely related to this, that I'll be posting in about one minute!
--Steve
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now