Pirax has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks,

Im trying to get my script working with taint mode on, but...

$GET{mode}

is tainted - ok, all clear.

Result of

($GET{mode} ? 'str1' : 'str2')

is untainted - ok, correct.

But can anyone tell me why the result of something like this:

($GET{mode} ? 'str1' : 'str2').'str3'

[download]

is tainted? :/ I have no idea, really... Two untainted strings in result gave a tainted one...

What I know after my research is that any tainted data in condition of ternary operator after concatenation taints whole concatenated string.

Replies are listed 'Best First'.
Re: Taint mode and concatenation
by Anonymous Monk on Nov 16, 2009 at 10:18 UTC
    perldoc perlsec says The presence of tainted data anywhere within an expression renders the entire expression tainted.
[reply]

      Yes, I know, but acording to the "exception to the principle" the ternary conditional operator does not taint the result...

      So... Shouldn't this be true everywhere?

[reply]

Back to Seekers of Perl Wisdom