When to use Perl's taint ?

Mork29 has asked for the wisdom of the Perl Monks concerning the following question:

I'm curious as to other Monks views of Taint and it's usage. It seems to me that circumstances change dramatically whenever you are accepting user input of any form. Input can be coming in many ways, and be used many different ways on different types of systems. Also, scripts and users will have different rights and be located in different places. I guess what I'm trying to ask is, shouldn't you do your own taint checking every time you write a script that takes in user-input and have that taint checking be specific to your situation? If that's the case, then when would you need perl's taint checking? Do most Monks here rely on Perl for taint checking? Do you include your own?

Title edit by tye (avoid single-word titles, please)

Comment on When to use Perl's taint ?

Replies are listed 'Best First'.
Re: Taint by sgifford (Prior) on Aug 01, 2003 at 20:44 UTC
Perl's taint checking just kills your script when you use some user input in a possibly dangerous way. It doesn't do any automatic fixing of the problem, so you are doing your own taint checking in a situation-specific way. With taint checking, Perl just tries to warn you if you screw up, and kill your script before it does anything dangerous.	[reply]
Re: Taint by jcpunk (Friar) on Aug 01, 2003 at 21:31 UTC
I'm tempted to say that taint mode should be the default in perl, just on the grounds that it has kept me from doing hell of a lot more idiotic things then use strict; has. but with a tool that is trusted this much you need to remember to check yourself over as good measure, case in point: one script i wrote used taint mode but i wanted to convert a few fields to lowercase before i fiddled with them, after 'untainting' all of the scalars by tr /A-Z/a-z/ suddenly my data was ok and i forgot to actually check the value till about 3 days before it went out, and then i only caught it by accident...... taint mode rules, cause it forces you to be careful... so i would recomend it. however, remember the story and dont forget that taint mode doesnt know the difference between a smart and a dumb taint check. jcpunk all code is tested, and doesn't work so there :p (varient on common PM sig for my own ammusment)	[reply]
Re: Taint by waswas-fng (Curate) on Aug 01, 2003 at 20:53 UTC
Aye, Perl's Taint warning just tells you "hey dolt, you forgot to make sure this data was safe before you used it". Consider it a safty net like `use strict;`. Its still up to you to determine what to do to the data to make sure it is safe. -Waswas	[reply] [d/l]