in reply to Re: Re: Insecurities in my scripting
in thread Insecurities in my scripting

Short answer: yes !

However, once Taint mode is on, every piece of user entered data must be untainted, or your script will die if you try to pass that data onto an external program.

This can only be done by assigning the value from $1 after successfully matching a regex.

You could though, match anything with a regex such as ...
warning: bad code 

if ( $form{usermail} =~ /(.*)/ ) {
  $form{usermail} = $1;
}

[download]
Taint mode will not complain, and you will be still passing insecure data to the sendmail program because that regex matched enything and everything.

So, long answer: yes, but it's up to you to responsibly and thoughtfully untaint the data.

As before, I recommend you read the regex tutorial to learn such things as assigning a match to $1.
See this offsite Taint tutorial http://gunther.web66.com/FAQS/taintmode.html.

Replies are listed 'Best First'.
Re: Re: Re: Re: Insecurities in my scripting
by sulfericacid (Deacon) on Nov 21, 2002 at 08:10 UTC
    Thanks fireartist for the info on tainting. I will look into those resources and will post another question if I get stumped.

    Thanks again!!

    sulfericacid
[reply]

In Section Seekers of Perl Wisdom