Re^2: Taint mode... use all the time?

This is meaningful in a web application, where you want to protect your servers from web monkeys trying to poke and prod their way through your application to the OS.

s/servers from web monkeys/computers from users/

That's a waste of cycles if such checks aren't required.

"Yeah, some luser stole the CC database, ordered $10_000_000_000 of goods, sold the customer list to spammers and deleted all the real orders, but hey! the application runs 0.002% faster!"

Sorry, I don't agree: if you're dealing with user input in a situation where they could (intentionally or unintentionally*) damage the system and the language offers you a helping hand, why not use it?

I use -T for pretty much anything that's going to be run by anyone except me (I assume I'll supply only valid input -- I'm right _most_ of the time): Like use strict; it helps me write good code, in this case ensuring I validate user input.

* "What due you mean I can't use spaces, (), &, ;, *, ? in filenames?"

-- Sorry if this is abrupt:it's been a rough week!

Comment on Re^2: Taint mode... use all the time? Select or Download Code

Replies are listed 'Best First'.
Re^3: Taint mode... use all the time? by Anonymous Monk on Feb 14, 2005 at 15:04 UTC
Sorry, I don't agree: if you're dealing with user input in a situation where they could (intentionally or unintentionally*) damage the system and the language offers you a helping hand, why not use it? Yes, but that's a far cry from "having it on all the time". Most users cannot (on a proper system) damage the system anyway. It doesn't make sense to have taint checking on oh, say "ls", or "vi" (unless you were to make a restricted shell inside "vi"). And it's not that the language offers you a helping hand free of costs. It's like equiping electronic locks on all the doors in your house - including the doors to any closets, and the lid on your toilet. Locks that can only be unlocked (for one time usage, closing the door auto-locks) by typing in 16 character hex code. Sure, it helps reduce theft from your home. But it isn't very convenient to go from one room to another anymore.	[reply]

Replies are listed 'Best First'.

Re^3: Taint mode... use all the time?
by Anonymous Monk on Feb 14, 2005 at 15:04 UTC

Sorry, I don't agree: if you're dealing with user input in a situation where they could (intentionally or unintentionally*) damage the system and the language offers you a helping hand, why not use it?

And it's not that the language offers you a helping hand free of costs. It's like equiping electronic locks on all the doors in your house - including the doors to any closets, and the lid on your toilet. Locks that can only be unlocked (for one time usage, closing the door auto-locks) by typing in 16 character hex code. Sure, it helps reduce theft from your home. But it isn't very convenient to go from one room to another anymore.

[reply]