On Monday 30 May 2011 14:27:25 'lesleyb' wrote: > I am a little fearful people will substitute variables on the > RHS in a CGI script without untainting first and then complain > when the problems show up.
Whilst I agree helping people learn about taint mode and how to untaint is valuable, I'm not sure it has a place in "look how simple this can be" / "how easy it is to do cool stuff" examples. Taint mode can be useful, but a user trying out simple examples is unlikely to have enabled taint mode unless they know about it. > [...] Even an example of how to untaint a > 'basic' RFC822 email address? [...] > if ($data =~ /^([-\@\w.]+)$/) { > $data = $1; # $data now untainted > } else { > die "Bad data in '$data'"; # log this somewhere > } I'd really not want to see people being encouraged to attempt to validate email addresses with a regex; that's a wheel that should not be re-invented; using e.g. Email::Valid to both untaint and check for validity properly would be a far better approach IMO. In fact, a "how to validate an email address properly" example would probably be worthwhile, for instance: use Email::Valid; if (! Email::Valid->address($email_address) ) { print "Sorry, that email address is not valid!"; } Cheers Dave P -- David Precious ("bigpresh") http://www.preshweb.co.uk/ "Programming is like sex. One mistake and you have to support it for the rest of your life". (Michael Sinz)