I looked into CGI::Untaint but was non-plused by the documentation. Untainting CGI data, if I understand the basic concept, is not a complicated task. In fact, I had assumed that there wasn't an Untaint module (apparently incorrectly) for that very reason. The CGI::Untaint module, OTOH, seems aimed more towards data validation (via Extract) where untainting the data is just a pass through step.

If all I wanted to do was untaint my CGI params, how would just that one task be accomplished using CGI::Untaint? The documentation is rather vague on that point. The module also appears to be fairly young. Is this a situation where roll-your-own is an acceptable option?

On a more general note, are there any hard and fast rules for evaluating the suitability of a module for a given task other than by recommendation (assuming we're talking about a beginner at Perl). Specifically, how can you tell if a more recent module has been adequately vetted?

As an aside, this module doesn't appear to be available directly from Active State via ppm.

--Jim

While CGI::Untaint would be good for untainting a mass of variables. It is basicaly more like data validation. To me after looking at CGI::Untaint's documentation it bears a resemblance to a very basic version of Data::FormValidator and is obsoleted by it. Data::FormValidator can be given a regex as a rule to check the input value of a form field. For example:


use strict;
use CGI;
use Data::FormValidator;

my $q = new CGI;

# hashref of data
my $UnsafeData = $q->Vars;


my $validator = new Data::FormValidator( "input_profiles.pl" );
my ( $valid, $missing, $invalid, $unknown ) = $validator->validate(  $
+UnsafeData, "customer_infos" );
[download]

An example of input_profiles.pl taken from the documentation

           {
               customer_infos => {
                   optional     =>
                       [ qw( company fax country password password_con
+firmation file_path) ],
                   required     =>
                       [ qw( fullname phone email address) ],
                   required_regexp => '/city|state|zipcode/',
                   optional_regexp => '/_province$/',
                   constraints  =>
                       {
                           file_path   => '/([-\w.\/]*)/',
                           email       => "email",
                           fax         => "american_phone",
                           phone       => "american_phone",
                           zipcode     => '/^\s*\d{5}(?:[-]\d{4})?\s*$
+/',
                           state       => "state",
                       },
                   constraint_regexp_map => {
                       '/_postcode$/'  => 'postcode',
                       '/_province$/'  => 'province,
                   },
                   dependency_groups  => {
                       password_group => [qw/password password_confirm
+ation/]
                   }
                   defaults => {
                       country => "USA",
                   },
               }
}
[download]

The data in $valid is now considered untainted and all unexpected fields are put in $unknown as an array ref. Read the documentation on Data::FormValidator as this module will not only allow you to set the rules of the data coming in but also weed out the data that you don't want.

BMaximus