I'm trying to make a function called param which is a wrapper for CGI::param. Its only purpose is to go through what is returned from param($string) and untaint it.

Here is the code I've got: 

package GWP::Safe;
$VERSION='1.0';
require 5.000;
require Exporter;

use lib "modules";
use GWP::Prefs;
use CGI ();

@ISA = qw(Exporter);
@EXPORT = (
           'param'
          );

use strict;

# this is to fix tainting
sub param($) {
    my ($string) = @_;

    if (defined wantarray and wantarray == 1) {
        my @retval = CGI::param($string);
        for(my $i = 0; $i <= $#retval; $i++) {
            $retval[$i] =~ /(.*)/;
            $retval[$i] = $1;
        }
        return @retval;
    }
    else {
        my $retval;
        $retval = CGI::param($string);  # this is always undef!
        if ($retval =~ /(.*)/) {
            $retval = $1;
        }
        else {
            error ("Bad data in $retval");
        }
        return $retval;
    }
}

[download]

Now when I run it (I've only tried asking for a scalar) then $retval is always undef after calling CGI::param($string). I know that the $string I'm asking for is in the form.

I've also tried calling my sub 'safeparam' and then importing param from CGI into my namespace so that I can call it normally, and that produces the same results.

Does anyone have an idea of why this is happening, or if there is already an untainting CGI wrapper out there?

Thanks,
Dan

In reply to CGI::param wrapper for untainting by dcardamo

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.