in reply to Re^3: Taint mode... use all the time?
in thread Taint mode... use all the time?

After all, if the user is going to try to mess with the client, all he can do is screw himself.

Even it's result of bad input, (perhaps especially if ...) it will be in the user's mind "the program's fault" -- "the program trashed my disk/registry/irreplacable data file/..." and you'll be the one who gets bad-mouthed.

If *, (), rm -rf /, ;"@{unlink <*>}" aren't valid in filenames, then don't let them be there. And having Perl cover your a** takes only one extra char!

Replies are listed 'Best First'.
Re^5: Taint mode... use all the time?
by Anonymous Monk on Feb 14, 2005 at 15:09 UTC
    And having Perl cover your a** takes only one extra char!
    No, that's a myth. Sure, it takes one (or rather two) characters to turn on taint checking. But turning on -T doesn't mean Perl validates data for you! You still need to write the validating code (and detaining) code. And that takes more than one character.
[reply]

In Section Seekers of Perl Wisdom