While CGI::Untaint would be good for untainting a mass of variables. It is basicaly more like data validation. To me after looking at CGI::Untaint's documentation it bears a resemblance to a very basic version of Data::FormValidator and is obsoleted by it. Data::FormValidator can be given a regex as a rule to check the input value of a form field. For example:
use strict;
use CGI;
use Data::FormValidator;

my $q = new CGI;

# hashref of data
my $UnsafeData = $q->Vars;


my $validator = new Data::FormValidator( "input_profiles.pl" );
my ( $valid, $missing, $invalid, $unknown ) = $validator->validate(  $
+UnsafeData, "customer_infos" );

[download]
An example of input_profiles.pl taken from the documentation 
           {
               customer_infos => {
                   optional     =>
                       [ qw( company fax country password password_con
+firmation file_path) ],
                   required     =>
                       [ qw( fullname phone email address) ],
                   required_regexp => '/city|state|zipcode/',
                   optional_regexp => '/_province$/',
                   constraints  =>
                       {
                           file_path   => '/([-\w.\/]*)/',
                           email       => "email",
                           fax         => "american_phone",
                           phone       => "american_phone",
                           zipcode     => '/^\s*\d{5}(?:[-]\d{4})?\s*$
+/',
                           state       => "state",
                       },
                   constraint_regexp_map => {
                       '/_postcode$/'  => 'postcode',
                       '/_province$/'  => 'province,
                   },
                   dependency_groups  => {
                       password_group => [qw/password password_confirm
+ation/]
                   }
                   defaults => {
                       country => "USA",
                   },
               }
}

[download]
The data in $valid is now considered untainted and all unexpected fields are put in $unknown as an array ref. Read the documentation on Data::FormValidator as this module will not only allow you to set the rules of the data coming in but also weed out the data that you don't want.

BMaximus

In reply to Re: Re: Re: CGI question: untainting a lot of variables by BMaximus
in thread CGI question: untainting a lot of variables by coolmichael

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.