Skip to main content.
home | support | download

Back to List Archive

Re: [SWISH-E:381] RE: Using Parentheses

From: Brendan Jones <brendan(at)not-real.mpce.mq.edu.au>
Date: Tue Aug 04 1998 - 05:19:59 GMT
Elijah wrote in a previous discussion about forming argument vectors for
swish:

> When some kind of user interface allows the user to type in a string which
> becomes (or becomes part of) a command line, the user interface should take
> appropriate action to prevent any special characters from being interpreted
> by the shell rather than by the intended program. In particular, a SWISH-E
> interface should prevent the shell from interpreting ANY special character
> which is typed in as part of a query string.
>
>       open(SWISH, "$swish -w '$query' -m $results -f $index|"); 

I had a simple solution to this which suited my particular application: I
simply remove all characters other than A-Za-z0-9'- from the entered query
string.

It means you can't use wildcards, or search for something like $2.00, but
from looking at the log of what people actually type in in my search
forms, 99.9% of users only search for English words.  Almost without
exception, the only use of 'special' characters in search queries at my
sites have been attempts to find security holes.

We computer-heads like to think people take advantage of advanced search
capabilities, regular expressions and the like, but the vast majority of
users out there typing queries into search forms *simply do not do this*.
They are not like us.  They type in English dictionary words separated by
whitespace, without changing any search form options.

The tiny number of users who might be disadvantaged is, I feel, outweighed
at my sites by the importance of maintaining security.  I don't think
there is any way of compromising security with a query only containing the
characters A-Za-z0-9'- (which will probably mean that someone will write in
to say it ain't so!!).

Clearly this is not suitable for all sites.  You might be running swish
at a site whose typical user profile is that of a regular expression
unix-head who might reasonably expect such search functionality to be
offered.  In which case you have to take a different approach as previously
suggested.

-- 
Dr Brendan Jones        |
Honorary Associate      |
Electronics Department  |
Macquarie University    | Email: brendan@mpce.mq.edu.au
NSW 2109  AUSTRALIA     | WWW  : http://www.mpce.mq.edu.au/~brendan/
Received on Mon Aug 3 22:29:46 1998