Re: troublesome inputs

> At 02:49 PM 2/17/01 -0500, Michelle Murrain wrote:
> >in an unrecoverable error. What I need to do is two-fold - escape stuff
that
> >is easy (like single quotes), and do testing of types (make sure they are
> not
> >putting non-numerics in int fields, etc.)
> >

Input parameter testing in perl is quite straightforward using regex
matching. I do this on my input parameters (assumes you are using CGI.pm):

my $bar = validate(trim($cgi->param('bar')), '^\d+$')
or push(@error_list, "Missing or Invalid Bar");

where trim() removes leading/trailing whitespace: (s/^\s*/; s/\s*$/;)
and validate() performs a regex match and returns undef on no match.

Save all the errors in a list for processing later so you dont make the user
re-enter the form details 5 times before they get told about all their
errors.

For doing stuff like escaping strings for input into the database, I've
found that using the prepared statement mechanism very helpful since it does
this for you -- there is probably some performance hit doing it this way
but I think using Perl to start with obviates most performance concerns ;-)

my $sth = $dbh->prepare("insert into foo (a,b,c) values (?,?,?)");
$sth->execute(1,2,"some random string with funny chars");