in reply to Question about untainting data

You only have to untaint data you attempt to use in a critical operation. If you're using tainted data in, say, your open calls, unlink, system, etc., you need to un-taint your data first. If you're just printing data or using it for decision-making, you don't have to untaint it.

This doesn't apply to just form data. Any data that is retrieved from outside of your script is potentially bad and potentially made harmful. Perl marks it as tainted, and will prevent you from trying to use it in any critical operations, since the effects could be adverse.

Replies are listed 'Best First'.
RE: Re: Question about untainting data
by elwarren (Priest) on Nov 04, 2000 at 02:43 UTC
    I think that filtering your output depends more on your application. If you're writing code to collect some data from users then it's not a big deal. But if you're writing a guestbook you may want to filter input for stuff like malacious javascript.

    It's a shame we have to do this too.

    Slightly off topic, but still important to the security question.
[reply]

In Section Seekers of Perl Wisdom