When Perl gurus are asked "how do I untaint stuff", they generally answer with "it depends". I understand that, but it seems like there ought to be some common ways of untainting input data in common situations -- e.g. "do this before sending something to a MySQL database" and "do this before using something as an email address".

Well, the answer is it depends. For inserting it in MySQL, it depends on two things. First, how are you inputting the data into the database? If you are using placeholders, you shouldn't have any problems with the insert itself. So, then you can allow anything. But what are you going to do with the data afterwards? If the data in the database is supposed to be trustworthy, you may, or may not, have to filter out characters, or substrings, depending on what you are going to do with it.

It's the same for email addresses. Email addresses themselves aren't dangerous, not even incorrect ones. But they may become dangerous depending on how you use them - even legal email addresses.

To decide how you properly untaint data, it's not relevant what the data is (or isn't), but what is important is how you are going to use the data.

Abigail