Elijah wrote in a previous discussion about forming argument vectors for
> When some kind of user interface allows the user to type in a string which
> becomes (or becomes part of) a command line, the user interface should take
> appropriate action to prevent any special characters from being interpreted
> by the shell rather than by the intended program. In particular, a SWISH-E
> interface should prevent the shell from interpreting ANY special character
> which is typed in as part of a query string.
> open(SWISH, "$swish -w '$query' -m $results -f $index|");
I had a simple solution to this which suited my particular application: I
simply remove all characters other than A-Za-z0-9'- from the entered query
It means you can't use wildcards, or search for something like $2.00, but
from looking at the log of what people actually type in in my search
forms, 99.9% of users only search for English words. Almost without
exception, the only use of 'special' characters in search queries at my
sites have been attempts to find security holes.
We computer-heads like to think people take advantage of advanced search
capabilities, regular expressions and the like, but the vast majority of
users out there typing queries into search forms *simply do not do this*.
They are not like us. They type in English dictionary words separated by
whitespace, without changing any search form options.
The tiny number of users who might be disadvantaged is, I feel, outweighed
at my sites by the importance of maintaining security. I don't think
there is any way of compromising security with a query only containing the
characters A-Za-z0-9'- (which will probably mean that someone will write in
to say it ain't so!!).
Clearly this is not suitable for all sites. You might be running swish
at a site whose typical user profile is that of a regular expression
unix-head who might reasonably expect such search functionality to be
offered. In which case you have to take a different approach as previously
Dr Brendan Jones |
Honorary Associate |
Electronics Department |
Macquarie University | Email: email@example.com
NSW 2109 AUSTRALIA | WWW : http://www.mpce.mq.edu.au/~brendan/
Received on Mon Aug 3 22:29:46 1998