Modifing user data Sometimes you can modify the data to make it less harmful. Example: You want to Read an SQL select statement from the user. Allow reads only, no updates, etc. $_=param('sql'); s/ ^ \s* select \s+ //xg; # strip the initial 'select' $_ = "select $_"; # put it back $_ =~ s/ \b into \b /; # remove the ability to use # 'select ... into' This can break though. (All 'into's removed...)
Copyright 2003, Bri Hatch of Onsight, Inc.
Presented at SPUG, 2003.
Presentation created using vim and MagicPoint.