in reply to Re: Re: Why do I need -w in a cgi script
in thread Why do I need -w in a cgi script

Taint checking is a security tool, not a development tool. Unless security is unimportant in production, do not remove it.

Oh? I know it's a run-time mechanism, but I was under the impression that if you were doing anything unsafe with tainted data, a reasonable amount of testing would flush that out, and you'd fix it, and subsequently you would not be doing unsafe things with tainted data, provided the script and the taintedness of its data don't change and that you tested all the code pathways in testing. I've been leaving it turned on, because not forgetting to turn it back on if I make changes is more important to me than performance, but I'd be interested in an explanation of how my thinking in this area is mistaken. 

$;=sub{$/};@;=map{my($a,$b)=($_,$;);$;=sub{$a.$b->()}}
split//,".rekcah lreP rehtona tsuJ";$\=$ ;->();print$/

[download]

Replies are listed 'Best First'.
Re: Re: Why do I need -w in a cgi script
by Juerd (Abbot) on Oct 09, 2003 at 21:20 UTC

    I was under the impression that if you were doing anything unsafe with tainted data, a reasonable amount of testing would flush that out

    Sure. But testing is done by people. People make mistakes. Computer is here to help us. It's not perfect, but once you decide you like tainting, why remove it? Perhaps the computer will find more mistakes later.

    Please note that I do not use -T unless when automatically enabled.

    Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

[reply]

In Section Seekers of Perl Wisdom