On Jul 17, Kent, Mr. John (Contractor) said:
>Is there a more efficient/better way to untaint variables
>pulled from a cgi query object?
I'd make an untaint function that took the param() name, a regex to use,
and a default value to use.
sub untaint {
my ($name, $rx, $default) = @_;
my $ok = $query->param($name) =~ $rx ? $1 : $default;
$query->param($name, $ok);
}
You use it like so:
my $MOSIAC_SCALE = untaint('MOSIAC_SCALE', qr/(\d+)/, 20);
# etc.
As for your code:
> my($MOSAIC_SCALE) = $query->param('MOSAIC_SCALE') || "20";
> {$MOSAIC_SCALE =~ /(\d+)/;
> $MOSAIC_SCALE = $1;
You should *never* use $DIGIT variables after a regex unless you're sure
the regex *matched*.
--
Jeff "japhy" Pinyan % How can we ever be the sold short or
RPI Acacia Brother #734 % the cheated, we who for every service
http://japhy.perlmonk.org/ % have long ago been overpaid?
http://www.perlmonks.org/ % -- Meister Eckhart
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
