Fellow more-XP'd monks,
In my quest to relearn Perl-a-la-PM, I'm trying to grasp the art of form validation for untainting purposes. My questions here are not about my regexes (I'm open to suggestions, but I do most of the heavy lifting in...(gulp)... Javascript), but want to re-validate in my .pl to keep Taint happy.

My Questions:
1. For the purposes of untainting, do I have to validate every user input value, even though they are all going into a database? I.e., is it overkill? Or is it just good practice? (I know I won't get any errors unless I try to open, eval, etc.)

2. Is there a more efficient way to code my validation calls and subs? (I know there are validation modules out there, like CGI::Validate, but I couldn't find anything specific enough. But hey, I'm open!)

3. I realize these are baby-steps, but foundational. So, am I "getting it?" 
#!/usr/bin/perl -wT

print "Content-type: text/plain\n\n";
use lib "/Library/WebServer/CGI-Executables/"; #Mac :)
use CGI::Carp qw(fatalsToBrowser);
use strict;
use Validate;
use Data::Dumper;
use CGI qw(:standard);
new CGI;

Validate::val_alpha(param('name'));
my $name = $Validate::val; 

Validate::val_date(param('date'));
my $date = $Validate::val;

Validate::val_phone(param('phone'));
my $phone = $Validate::val;

Validate::val_email(param('email'));
my $email = $Validate::val;

print Dumper($name, $date, $phone, $email); #testing only

#eventually write to the database

__END__

[download]
Code for Validate.pm:
package Validate; # use package to declare a module

our $val;

sub val_alpha {
    $val = shift;
    if ($val =~ /^([A-Za-z \-]*)$/) {
        $val = "$1";
    } else {
        &error_page;
    }
}

sub val_phone {
    $val = shift;
    if ($val =~ /^[\(]?(\d{3})[\)\.\-]?(\d{3})[\)\.\-]?(\d{4})$/) {
        $val = "$1-$2-$3";
    } else {
        &error_page;
    }
}

sub val_date {
    $val = shift;
    if ($val =~ /^(\d{2})-(\d{2})-(\d{4})$/) {
        $val = "$1-$2-$3";
    } else {
        &error_page;
    }
}


sub val_email {
    $val = shift;
    if ($val =~ /^([\w\.\-]{3,})@([\w\.\-]{3,})\.([A-Z]{2,3})$/i) {
        $val = "$1\@$2\.$3";
    } else {
        &error_page;
    }
}

sub error_page {
    print "HTML error page prints here\n";
    exit;
    }

1;

[download]

Thanks!

—Brad
"A little yeast leavens the whole dough."

In reply to Do I have to untaint all user input in a form? by bradcathey

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.