Re: Do I have to untaint all user input in a form?

To add to sauoq's advice on #1, if you elect to put still-tainted data into a database, make it one which supports tainted data from select. You can untaint now, or when you need it. I like now, bucause I might forget later, and somebody else might not suspect.

On #2, your Validate.pm doesn't untaint anything you can use. You're shifting the argument into a ~~lexical~~ package global and untainting that. The argument variable remains tainted. You can pass your variables by reference to fix that, or else use the (\$) prototype.

After Compline,
Zaxo

Comment on Re: Do I have to untaint all user input in a form?

Replies are listed 'Best First'.
Re: Re: Do I have to untaint all user input in a form? by bradcathey (Prior) on Nov 14, 2003 at 14:03 UTC
your Validate.pm doesn't untaint anything you can use. Now, that's sobering, Zaxo. All that work and it wasn't doing what I intended, My quest grows longers as I now have to figure out what you meant by: You can pass your variables by reference to fix that, or else use the (\$) prototype. I'm hoping chromatic's code will shed some light. —Brad "A little yeast leavens the whole dough."	[reply]
Re: Re: Re: Do I have to untaint all user input in a form? by Zaxo (Archbishop) on Nov 14, 2003 at 19:39 UTC
A second look shows me that, the way you use Validate.pm, you are getting untainted data by immediately using the global $Validate::var. That is an awkward design which demands you call the validation/untaint function each time you need the variable (since $var may have changed in the interim). The solution is to write your functions to validate and untaint the variable you hand them. Here is how to write your val_alpha() function that way (untested), `# val_alpha validates as [:alpha:], spaces, and hyphens. # Usage: val_alpha \$foo [, \$bar] sub val_alpha { for (@_) { if ($$_ =~ /^([A-Za-z -]*)$/) { $$_ = $1; } else { error_page() } } 1; }` [download] That should validate and untaint for all time the variables you hand it. After Compline, Zaxo	[reply] [d/l]
Re: Re: Re: Re: Do I have to untaint all user input in a form? by bradcathey (Prior) on Nov 14, 2003 at 20:03 UTC
Fantasic! Thanks much. I was hoping to find a way to write my routines in less code, only because it seemed like calling it everytime, as you pointed out, was messy. Though I will have to call more specific regexs as I start validating/untainting phone numbers, etc. Anyway, I'll look forward to trying this out over the weekend (still have the day job). —Brad "A little yeast leavens the whole dough."	[reply]