Update: here is the corrected code in its entirety

ps: original post is below this code snippet

#!/usr/bin/perl -Tw

use strict;
## Path set to minimal default
$ENV{PATH} = "/usr/bin:/bin:/usr/sbin";

use warnings;
use subs qw(isHostValid);
use CGI qw( :standard );
use CGI::Carp qw(fatalsToBrowser);

## Capture error message
BEGIN{
    CGI::Carp::set_message(\&carp_error);
}

## Path of nslooku. Change this to the path of your nslookup
my $NSLOOKUP = '/usr/bin/nslookup';
## Path of sendmail. change this to the path of your sendmail
my $SENDMAIL = '/usr/sbin/sendmail';
## Set your email address here
my $RECIP = 'youremail@here.com';


############################################################
#                    ACTION HANDLER                        #
############################################################
#
#
if($ENV{REQUEST_METHOD} eq 'POST'){
        ## Fetch form data input
        my $name_in = param('name');
        my $name = q{};
        my $email_in = param('email');
        my $email = q{};
        my $comments_in = param('comments');
        my $comments = q{};
        
        
        ## Check for html tags in name field
        if($name_in !~ /<.*>/){
                $name_in =~ /(.*)/;
                $name = $1;
        }else{
            die ("oops! you have html tags. naughty, naughty!");
        }
        
        ## Check to see if email is valid. 
        ## Does not match email addresses using an IP address instead 
        ## of a domain name.
        if ($email_in =~ m/\b[a-z0-9._%-]+@[a-z0-9.-]+\.[a-z]{2,4}\b/)
+{
            
            $email_in =~ /(.*)/;
            $email = $1;
        }else{
            die ("oops! your email address is not valid one");
        }
        
        ## Check for html tags in name field;
        if($comments_in !~ /<.*>/ ){
        $comments_in =~ /(.*)/;
        $comments = $1;
        }else{
            die ("oops! you have html tags. naughty, naughty!");
        }
        
        ## Okay! you have passed the tests. now the ultimate test.
        my @result = split(m/@/, $email);
        
        if(!isHostValid($result[1])) {
                die ("Oops! invalid host name");
        }
        
        ## Send form data to your email address
        open (MAIL, "|$SENDMAIL -t");
        print MAIL "To: $RECIP\n";
        print MAIL "Reply: $email\n";
        print MAIL "Subject:email from web form\n";
        print MAIL "\n\n";
        print MAIL "name: ". $name."\n" ;
        print MAIL "emial: ".$email."\n" ;
        print MAIL "comments: ".$comments."\n" ;
        print MAIL "\n\n";
        close (MAIL);

        ## Display confirmation message
        print header;
        print start_html;
        print "Thanks you for using the comment form.
                We are going to get back to you as soon
                as we can say thank you again.";
        print end_html;
}else{
    ## Display form
        print header;
        print start_html;
        print start_form(-method => "post", -action => "");
        print h4("Contact Form");
        print "Name: ", textfield(-name => "name"), br;
        print "E-mail: ", textfield(-name => "email"), br;
        print "Enter your comments:", br;
        print textarea(-name => "comments", -rows => "5", -column => "
+50"), br;
        print submit(-value => "Submit");
        print end_form;
        print end_html;
}

##
# Subroutine checks if the host is valid
#
# @param    host
#
sub isHostValid{
        my $host = shift;
    
      $/='';
    open(my $fh, "-|", $NSLOOKUP, "-type=any", $host)
          or die "unable to exec $NSLOOKUP: $!";
    my @response = <$fh>;
          close $fh;
          $/='\n';
          
          return 1 if (grep /Name:\s+$host/, @response);   
          return 0;
}

##
# Subroutine displays error message
#
# @param     error_message
#
sub carp_error{
    my $error_message = shift();
    
    print start_html("Error") .
                h1("Error") .
                p("Sorry, the following error has occurred: ") .
                p(i($error_message)) .
                end_html;
}

[download]


##############Original Post#######################

elloo,
i need tiny bit of help with security issue in my coding. i've created a simple script for form emailing and i think i've covered most of the security issues however i've one issue i cannot resolve. in the section below i've "insecure dependency in piped open". my question is how can i get around this issue 
sub isHostValid{
        my $host = shift;
    my $NSLOOKUP = '/usr/bin/nslookup';
    
      $/='';
    my $fh = new IO::File "$NSLOOKUP -type=any $host 2>&1 |";
    my @response = <$fh>;
          close $fh;
          $/='\n';
          
          if (grep /Name:\s+$host/, @response){
              return 1;   
          }
          
          return 0;
}

[download]
Here is all my code below. please feel free to comment on the code.

many thanks in advance

#!/usr/bin/perl -w

use strict;
use warnings;
use CGI qw( :standard );
use CGI::Carp qw(fatalsToBrowser);
use IO::File;
use English qw(-no_match_vars);
local $OUTPUT_AUTOFLUSH = 1;

## Path set to minimal default
$ENV{PATH} = "/usr/bin:/bin:/usr/sbin";


## Capture error message
BEGIN{
    CGI::Carp::set_message(\&carp_error);
}


############################################################
#                    ACTION HANDLER                        #
############################################################
#
#
if($ENV{REQUEST_METHOD} eq 'POST'){
        ## Fetch form data
        my $name = param('name');
        my $email = param('email');
        my $comments = param('comments');
        
        ## Check for html tags
        if($name =~ /<.*>/ || $comments =~ /<.*>/ ){
                die ("oops! you have html tags. naughty, naughty!");
        }
        ## Check to see if email is valid. 
        ## Does not match email addresses using an IP address instead 
+of a domain name.
        if ($email !~ m/\b[a-z0-9._%-]+@[a-z0-9.-]+\.[a-z]{2,4}\b/){
                die ("oops! your email address is not valid one");
        }
        
        ## Okay! you have passed the test. you have a valid email addr
+ess.
        my @result = split(m/@/, $email);
        
        if(isHostValid($result[1])) {
                die ("Oops! invalid host name");
        }
        
        # Change this to the path of your sendmail
        my $mail_prog = '/usr/sbin/sendmail';
        # Change this to your email address
        my $recip = 'youremail@host.com';

        open (MAIL, "|$mail_prog -t");
        print MAIL "To: $recip\n";
        print MAIL "Reply: $email\n";
        print MAIL "Subject:email from web form\n";
        print MAIL "\n\n";
        print MAIL "name: ". $name."\n" ;
        print MAIL "emial: ".$email."\n" ;
        print MAIL "comments: ".$comments."\n" ;
        print MAIL "\n\n";
        close (MAIL);

        
        ## Display confirmation message
        print header;
        print start_html;
        print "Thanks you for using the comment form.
                We are going to get back to you as soon
                as we can say thank you again.";
        print end_html;
}else{
    ## Display form
        print header;
        print start_html;
        print start_form(-method => "post", -action => "");
        print h4("Contact Form");
        print "Name: ", textfield(-name => "name"), br;
        print "E-mail: ", textfield(-name => "email"), br;
        print "Enter your comments:", br;
        print textarea(-name => "comments", -rows => "5", -column => "
+50"), br;
        print submit(-value => "Submit");
        print end_form;
        print end_html;
}

##
# Subroutine checks if the host is valid
#
# @param    host
#
sub isHostValid{
        my $host = shift;
    my $NSLOOKUP = '/usr/bin/nslookup';
    
      $/='';
    my $fh = new IO::File "$NSLOOKUP -type=any $host 2>&1 |";
    my @response = <$fh>;
          close $fh;
          $/='\n';
          
          if (grep /Name:\s+$host/, @response){
              return 1;   
          }
          
          return 0;
}

##
# Subroutine displays error message
#
# @param     error_message
#
sub carp_error{
    my $error_message = shift();


    
    print start_html("Error") .
                h1("Error") .
                p("Sorry, the following error has occurred: ") .
                p(i($error_message)) .
                end_html;
}

[download]

In reply to Insecure dependency in piped open by gugubanana

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.