APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

2005/03/04 tr

I use this in Perl much more than the shell, but that's probably because most anything that needs it is usually too complicated for the shell.

The man page for tr gives some examples, but doesn't mention what is probably its most important use nowadays: security for input strings gathered from web forms. Any web site that allows other people to provide content or comments (as we do here) has to be concerned about Cross-Site Scripting. That term really is a misnomer and simply means that malicious content can be interpreted by web browsers. People browsing suspicious websites have to worry about that a little, but web site owners have to worry even more (if they are accepting outside material for comments, etc.).

Back to "tr". Let's say I've gathered some input from you and I want to strip any html or possible shell redirection from it. Of course I could run through deleting characters I don't want, like "<" and ">" and "|", and maybe it's a login name and I don't want quotation marks, and so on, but I'm bound to forget something, so the better way is to use "tr" to only allow what I DO want. So,

Perl: $input =~ tr/a-zA-Z0-9//cd;
Shell: input=`echo $input  | tr -cd "[0-9A-z]"`
 

will remove everything EXCEPT letters and numbers.

"tr" has other uses, and the shell version understands some useful shorthand: tr "[:lower:]" "[:upper:]" will translate its input to upper case. It can "squeeze" characters, which can be useful for removiong extraneous spaces:

echo "foo     bar" | tr -s " "
foo bar
 

Of course, it often gets much more complicated. For example, I allow some html tags in submitted comments. I have to be very careful about that, and only allow the non-harmful tags through. This usually requires more than "tr" could do by itself, but certainly it comes into play as part of the process.

If the world were a nicer place, "tr" would still be useful to protect from typing mistakes and for uppercasing, etc. but today it's usually security that's on my mind when I use this.



Got something to add? Send me email.





Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Tony Lawrence



Kerio Samepage


Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Every piece of software written today is likely going to infringe on someone else's patent. (Miguel de Icaza)

Computer Science is embarrassed by the computer. (Alan Perlis)







This post tagged: