in reply to Re: Re: Do I have to untaint all user input in a form?
in thread Do I have to untaint all user input in a form?

A second look shows me that, the way you use Validate.pm, you are getting untainted data by immediately using the global $Validate::var. That is an awkward design which demands you call the validation/untaint function each time you need the variable (since $var may have changed in the interim). The solution is to write your functions to validate and untaint the variable you hand them. Here is how to write your val_alpha() function that way (untested), 

# val_alpha validates as [:alpha:], spaces, and hyphens.
# Usage: val_alpha \$foo [, \$bar]
sub val_alpha {
    for (@_) {
        if ($$_ =~ /^([A-Za-z -]*)$/) {
            $$_ = $1;
        }
        else {
            error_page()
        }
    }
    1;
}

[download]
That should validate and untaint for all time the variables you hand it.

After Compline,
Zaxo

Replies are listed 'Best First'.
Re: Re: Re: Re: Do I have to untaint all user input in a form?
by bradcathey (Prior) on Nov 14, 2003 at 20:03 UTC
    Fantasic! Thanks much. I was hoping to find a way to write my routines in less code, only because it seemed like calling it everytime, as you pointed out, was messy. Though I will have to call more specific regexs as I start validating/untainting phone numbers, etc. Anyway, I'll look forward to trying this out over the weekend (still have the day job).

    —Brad
    "A little yeast leavens the whole dough."
[reply]

In Section Seekers of Perl Wisdom