in reply to Re: CGI question: untainting a lot of variables
in thread CGI question: untainting a lot of variables

The reference to this module was interesting so I decided to check it out. Maybe someone could explain to me if there are any real advantages to using CGI::Untaint in this situation. There's a good chance I'm suffering from brain burnout right now, so apologies if this post turns out to be a Doh! I don't mind being corrected as I'm here to learn.

I looked into CGI::Untaint but was non-plused by the documentation. Untainting CGI data, if I understand the basic concept, is not a complicated task. In fact, I had assumed that there wasn't an Untaint module (apparently incorrectly) for that very reason. The CGI::Untaint module, OTOH, seems aimed more towards data validation (via Extract) where untainting the data is just a pass through step.

If all I wanted to do was untaint my CGI params, how would just that one task be accomplished using CGI::Untaint? The documentation is rather vague on that point. The module also appears to be fairly young. Is this a situation where roll-your-own is an acceptable option?

On a more general note, are there any hard and fast rules for evaluating the suitability of a module for a given task other than by recommendation (assuming we're talking about a beginner at Perl). Specifically, how can you tell if a more recent module has been adequately vetted?

As an aside, this module doesn't appear to be available directly from Active State via ppm.

--Jim

  • Comment on Re: Re: CGI question: untainting a lot of variables

Replies are listed 'Best First'.
Re: Re: Re: CGI question: untainting a lot of variables
by BMaximus (Chaplain) on Dec 31, 2001 at 10:52 UTC
    While CGI::Untaint would be good for untainting a mass of variables. It is basicaly more like data validation. To me after looking at CGI::Untaint's documentation it bears a resemblance to a very basic version of Data::FormValidator and is obsoleted by it. Data::FormValidator can be given a regex as a rule to check the input value of a form field. For example:
    use strict;
use CGI;
use Data::FormValidator;

my $q = new CGI;

# hashref of data
my $UnsafeData = $q->Vars;


my $validator = new Data::FormValidator( "input_profiles.pl" );
my ( $valid, $missing, $invalid, $unknown ) = $validator->validate(  $
+UnsafeData, "customer_infos" );

    [download]
    An example of input_profiles.pl taken from the documentation 
               {
               customer_infos => {
                   optional     =>
                       [ qw( company fax country password password_con
+firmation file_path) ],
                   required     =>
                       [ qw( fullname phone email address) ],
                   required_regexp => '/city|state|zipcode/',
                   optional_regexp => '/_province$/',
                   constraints  =>
                       {
                           file_path   => '/([-\w.\/]*)/',
                           email       => "email",
                           fax         => "american_phone",
                           phone       => "american_phone",
                           zipcode     => '/^\s*\d{5}(?:[-]\d{4})?\s*$
+/',
                           state       => "state",
                       },
                   constraint_regexp_map => {
                       '/_postcode$/'  => 'postcode',
                       '/_province$/'  => 'province,
                   },
                   dependency_groups  => {
                       password_group => [qw/password password_confirm
+ation/]
                   }
                   defaults => {
                       country => "USA",
                   },
               }
}

    [download]
    The data in $valid is now considered untainted and all unexpected fields are put in $unknown as an array ref. Read the documentation on Data::FormValidator as this module will not only allow you to set the rules of the data coming in but also weed out the data that you don't want.

    BMaximus
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom