in reply to Do I have to untaint all user input in a form?

1. For the purposes of untainting, do I have to validate every user input value, even though they are all going into a database? I.e., is it overkill? Or is it just good practice? (I know I won't get any errors unless I try to open, eval, etc.)

When validating untrusted user input, there's not much that could be called "overkill".

For starters, see tilly's recent node: Use placeholders. For SECURITY! Consider also whether, the data will ever be used for anything else. It might just be going into a database right now, but what are you going to do with it next year? Better safe than sorry, right?

As for your validation routines, the one that stands out as being insufficient is the email validation routine. Consider using something a bit more robust, like CGI::Untaint::email perhaps.

-sauoq
"My two cents aren't worth a dime.";
  • Comment on Re: Do I have to untaint all user input in a form?

Replies are listed 'Best First'.
Re: Re: Do I have to untaint all user input in a form?
by bradcathey (Prior) on Nov 14, 2003 at 14:10 UTC
    Thanks sauoq for the reminder. Great node referral. My next step is to add the code writing to the database using placeholders. That's after I figure out how to write a validator that actually untaint my values (see Zaxo below).

    —Brad
    "A little yeast leavens the whole dough."
[reply]

In Section Seekers of Perl Wisdom