Abigail

It is, however, significantly better then nothing, esp. if used properly. Specificly, you should "use Taint" before even looking at possibly tainted data, as far as you can get away with it. If it's the second line in your file (after the shabang), that's a very small window to mess things up. Additionaly, unless you advertise it (such as by using CGI::Carp :fatalsToBrowser), they won't know you're using the Taint module, and thus not design their crack to account for it. Essensialy, the only attack left is to try to mess up PERL5LIB (or possibly PATH with a tainted perl binary) before perl is invoked. It's not a bullet-proof-vest, just bullet-resistant. Still better then nothing. (The /best/ thing to do would be to have die "INVOKED WITHOUT TAINT!" unless ${^TAINT} directly as the second line of your script.

PS -- does anybody know what ${^TAINT} is set to in "baby taint mode" (IE -t, warn on taint violation mode). I'm running 5.6.1, which doesn't support either. It might be possible to fake out ${^TAINT} checking with -t.

---

Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).

> perl -t -e"die ${^TAINT}"
1 at -e line 1.

> perl -T -e"die ${^TAINT}"
1 at -e line 1.

> perl -e"die ${^TAINT}"
0 at -e line 1.

>
[download]

~Particle *accelerates*

It's giving you a false sense of security. You shouldn't use use Taint; as your first line after the shebang, you should use -T as your first option on the shebang line.

Abigail