Formatting input for security

[busfault]

I am workikng on a script that takes the output of an application on my liunx server and prints the output. I have text from the user run with the program like such:
print `app $word`;
After realizing that this would allow &cmds and redirects I added print `app \"$word\"` which seems to work but I would like to know how to strip everything except a-zA-Z and typical word letters like '.
Also is there a better way of running an application?
Thanks,
Tom

 

[KevinADC]

strip all but a-zA-Z:

my $word = 'c&l#@e>an+_-=ed&&';
$word =~ s/[\W_]//g;
print $word;

 

[ishnid]

If you turn on `taint mode' (the -t switch on your shebang line), Perl will protect you from user-inputted data which may be used in an undesired way. You'd then have to untaint that data with a regexp before Perl will let you use it for things like filenames and commands.

my ( $untainted ) = $word =~ /^([a-zA-Z.]+)$/;