Search code examples
perlescapingperl-module

Remove unsafe HTTP characters from a string

I have to send a bunch of string variables as payloads in a HTTP POST message using Perl.

I want to remove "unsafe" characters, such as < > “ ‘ % ; ) ( & + from my string variable.

I know I can use a regex pattern to find and replace each of these characters, but I am wondering if there's any existing Perl library that already does that.

For example, I found Apache::Util

my $esc = Apache::Util::escape_uri($uri);

Can I use Apache::Util::escape for this? Or is there a better way?

EDIT 1: I have already mentioned that by unsafe, I mean characters like < > “ ‘ % ; ) ( & + which can be used in SQL-injection. I don't know how to describe this problem better.

EDIT 2: Here's the code that I am working on -it's an Embedded perl code:

$cgi = CGI->new();
my $param1 = $cgi->param('param1');
my $param2 = $cgi->param('param2');
my $param3 = $cgi->param('param3');

# I want to remove unsafe characters (< > “ ‘ % ; ) ( & +) from $param1, $param2 and $param3
# Q is, do I use Apache::Util::escape_uri; even if that's for removing unsafe chars from URI?
# OR do I use URI::Escape 'uri_escape';? 
$script = <<__HTML__;
    <script>
       API.call ({
            'paramA': '$param1',
            'paramB': '$param2',
            'paramC': '$param3'
        });
    </script>
__HTML__

EDIT 3: If anyone else has the same question, I ended up writing a perl function that looks for certain characters such as "(", "{", "$", ";", etc and removes them from your provided string parameter.

List of all characters that I am escaping are: ";", "(", ")", "[", "]", "{", "}", "~", "`", "/", "<", ">", "&", "|", "'", "\"", "\\"

Obviously, there's room for exclusions as well.

Solution

  • There is no general definition of unsafe characters, so it falls to you to determine whether any of your answers fulfill your requirement

    Looking at the source of Apache::Util it does some very unpleasant things to its own name space, and I wouldn't trust it. It is intended to be used as a component of mod_perl, and shouldn't be accessed in isolation

    I think the canonical way of escaping HTTP URIs is to use the URI::Escape module

    use URI::Escape 'uri_escape';

    You must provide data and code for any more help than this