BlueChips23 BlueChips23 - 18 days ago 6
Perl Question

Remove unsafe HTTP characters from a string

I have to send a bunch of string variables as payloads in a HTTP POST message using Perl.

I want to remove "unsafe" characters, such as

< > “ ‘ % ; ) ( & +
from my string variable.

I know I can use a regex pattern to find and replace each of these characters, but I am wondering if there's any existing Perl library that already does that.

For example, I found
Apache::Util


my $esc = Apache::Util::escape_uri($uri);


Can I use
Apache::Util::escape
for this? Or is there a better way?

EDIT 1: I have already mentioned that by unsafe, I mean characters like
< > “ ‘ % ; ) ( & +
which can be used in SQL-injection. I don't know how to describe this problem better.

EDIT 2: Here's the code that I am working on -it's an Embedded perl code:

$cgi = CGI->new();
my $param1 = $cgi->param('param1');
my $param2 = $cgi->param('param2');
my $param3 = $cgi->param('param3');

# I want to remove unsafe characters (< > “ ‘ % ; ) ( & +) from $param1, $param2 and $param3
# Q is, do I use Apache::Util::escape_uri; even if that's for removing unsafe chars from URI?
# OR do I use URI::Escape 'uri_escape';?
$script = <<__HTML__;
<script>
API.call ({
'paramA': '$param1',
'paramB': '$param2',
'paramC': '$param3'
});
</script>
__HTML__


EDIT 3: If anyone else has the same question, I ended up writing a perl function that looks for certain characters such as "(", "{", "$", ";", etc and removes them from your provided string parameter.

List of all characters that I am escaping are:
";", "(", ")", "[", "]", "{", "}", "~", "`", "/", "<", ">", "&", "|", "'", "\"", "\\"


Obviously, there's room for exclusions as well.

Answer

There is no general definition of unsafe characters, so it falls to you to determine whether any of your answers fulfill your requirement

Looking at the source of Apache::Util it does some very unpleasant things to its own name space, and I wouldn't trust it. It is intended to be used as a component of mod_perl, and shouldn't be accessed in isolation

I think the canonical way of escaping HTTP URIs is to use the URI::Escape module

use URI::Escape 'uri_escape';

You must provide data and code for any more help than this

Comments