[Tutor] Untainting CGI parameters

Kent Johnson kent37 at tds.net
Wed Aug 10 18:32:38 CEST 2005


Jan Eden wrote:
> Hi,
> 
> I would like to untaint all parameters with which my CGI script is called. Example:
> 
> if parameters.has_key('type'):
>     match = re.search('\w+', parameters['type'].value)
>     type = match.group()
> else: type = 'page'

OK, I don't know much Perl but I don't think these two snippets do the same thing. For one thing the regexes are different, second in the Python you need to check if the match succeeds. I would write it as

type = 'page'
if parameters.has_key('type'):
    match = re.search('^\w+$', parameters['type'].value)
    if match:
        type = match.group()

or maybe
try:
    match = re.search('^\w+$', parameters['type'].value)
    type = match.group()
except KeyError, AttributeError:
    type = 'page'

> In Perl, I used the ternary operator to write it like this:
> 
> my $type = ($parameters{type} && ($parameters{type} =~ /^(\w+)$/)) ? $1 : 'page';
> 
> While this is not the most beautiful code to look at, I have a
> weakness for compact programs - so can I shorten the Python
> equivalent somehow?

mmm, not sure how to do that...Python doesn't put such a premium on compactness. If you have to do it a lot just put it in a function and call that...

Kent



More information about the Tutor mailing list