CGI::param wrapper for untainting

dcardamo has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to make a function called param which is a wrapper for CGI::param. Its only purpose is to go through what is returned from param($string) and untaint it.

Here is the code I've got:

package GWP::Safe;
$VERSION='1.0';
require 5.000;
require Exporter;

use lib "modules";
use GWP::Prefs;
use CGI ();

@ISA = qw(Exporter);
@EXPORT = (
           'param'
          );

use strict;

# this is to fix tainting
sub param($) {
    my ($string) = @_;

    if (defined wantarray and wantarray == 1) {
        my @retval = CGI::param($string);
        for(my $i = 0; $i <= $#retval; $i++) {
            $retval[$i] =~ /(.*)/;
            $retval[$i] = $1;
        }
        return @retval;
    }
    else {
        my $retval;
        $retval = CGI::param($string);  # this is always undef!
        if ($retval =~ /(.*)/) {
            $retval = $1;
        }
        else {
            error ("Bad data in $retval");
        }
        return $retval;
    }
}
[download]

Now when I run it (I've only tried asking for a scalar) then $retval is always undef after calling CGI::param($string). I know that the $string I'm asking for is in the form.

I've also tried calling my sub 'safeparam' and then importing param from CGI into my namespace so that I can call it normally, and that produces the same results.

Does anyone have an idea of why this is happening, or if there is already an untainting CGI wrapper out there?

Thanks,
Dan

Comment on CGI::param wrapper for untainting Download Code

Replies are listed 'Best First'.
Re: CGI::param wrapper for untainting by footpad (Abbot) on Mar 27, 2001 at 23:42 UTC
Um, why reinvent the wheel? Consider using the Untaint module, written by one of your fellow monks. Also, I'd be very leery of using .* to untaint things. For one thing, you don't know what you're being sent, so it's best to test the parameters you're expecting for a limited set of values you approve of. Untaint provides a convenient interface for doing so. In addition, you many wish to meditate on this discussion of dot star. --f	[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.
Re: CGI::param wrapper for untainting by dws (Chancellor) on Mar 28, 2001 at 05:37 UTC
Reader: If you've not yet figured out what Some notes below your chosen depth have not been shown here means, now is a good time to learn, as there is some valuable material in this discussion that is otherwise invisible to you. When you see the Some notes are ... phrase below a note, it means just what it says. You're only seeing part of the discussion, and there's more to be seen below the note. Clicking on the note's title (for example, Re: Re: Re: CGI::param wrapper for untainting above) will give you access to more of the discussion. You may need to do this several times to see the entire tree. I recommend practicing on this discussion. There's some good stuff buried here.	[reply]
(tye)Re: CGI::param wrapper for untainting by tye (Sage) on Mar 28, 2001 at 04:11 UTC
For what it's worth, I don't see anything non-functional about your code. Time to do some debugging. - tye (but my friends call me "Tye")	[reply]


Your skill will accomplish what the force of many cannot
	PerlMonks