Yes, you'll have to use -T to enable taint checking. It cannot do your work for you, though. It is merely prevents you from accidentally using unfiltered user input to perform dangerous operations. The onus for defining what data is well-formed and safe to accept and what's not, though, is still on you.
The only way to get untainted data from a tainted variable is to perform a pattern match, and capture some or all of the data. The captured data is then untainted. F.ex, if you have an input value that must only consist of digits, you could untaint it like so:
unless( $some_user_input =~ /^(\d+)$/ ) { die "You did not pass only digits for some_input\n"; # or you produce an error page here or send the user back if it's +a CGI, f.ex } my $untainted_user_input = $1;
Now you can perform dangerous operations using $untainted_user_input.
Of course, nothing stops you from using /(.*)/s as the test pattern, therefor accepting any input at all and thus defeating the point of taint checks.
Ovid's excellent CGI course has an enlightening chapter on how to untaint data sensibly, treating taint checking as an ally that will help you avoid getting exploited.
There are modules on CPAN that will help you with common untainting tasks — look for the various Untaint modules.
Makeshifts last the longest.
In reply to Re^3: Please explain this tainting behaviour
by Aristotle
in thread Please explain this tainting behaviour
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |