Re: Re: Do I have to untaint all user input in a form?

your Validate.pm doesn't untaint anything you can use.

Now, that's sobering, Zaxo. All that work and it wasn't doing what I intended, My quest grows longers as I now have to figure out what you meant by:

You can pass your variables by reference to fix that, or else use the (\$) prototype.

I'm hoping chromatic's code will shed some light.

—Brad
"A little yeast leavens the whole dough."

Comment on Re: Re: Do I have to untaint all user input in a form?

Replies are listed 'Best First'.
Re: Re: Re: Do I have to untaint all user input in a form? by Zaxo (Archbishop) on Nov 14, 2003 at 19:39 UTC
A second look shows me that, the way you use Validate.pm, you are getting untainted data by immediately using the global $Validate::var. That is an awkward design which demands you call the validation/untaint function each time you need the variable (since $var may have changed in the interim). The solution is to write your functions to validate and untaint the variable you hand them. Here is how to write your val_alpha() function that way (untested), `# val_alpha validates as [:alpha:], spaces, and hyphens. # Usage: val_alpha \$foo [, \$bar] sub val_alpha { for (@_) { if ($$_ =~ /^([A-Za-z -]*)$/) { $$_ = $1; } else { error_page() } } 1; }` [download] That should validate and untaint for all time the variables you hand it. After Compline, Zaxo	[reply] [d/l]
Re: Re: Re: Re: Do I have to untaint all user input in a form? by bradcathey (Prior) on Nov 14, 2003 at 20:03 UTC
Fantasic! Thanks much. I was hoping to find a way to write my routines in less code, only because it seemed like calling it everytime, as you pointed out, was messy. Though I will have to call more specific regexs as I start validating/untainting phone numbers, etc. Anyway, I'll look forward to trying this out over the weekend (still have the day job). —Brad "A little yeast leavens the whole dough."	[reply]