Phoenix.pm: So, what are the merits of -T on CGI scripts?
David Sinck
sinck at ip100.starwarz.org
Thu Sep 2 18:33:23 CDT 1999
\_ sub untaint
\_
\_ { my($taint)=@_;
\_
\_ my $untaint = $taint;
\_
\_ $untaint =~ s/\.\.//g;
\_ $untaint =~ s/\+/ /g;
\_ $untaint =~ s/\;//g;
\_ $untaint =~ s/\&//g
\_ $untaint =~ s/\|//g;
\_ $untaint =~ s/\>//g;
\_ $untaint =~ s/\<//g;
\_ $untaint =~ s/\?//g;
\_ $untaint =~ s/\*//g;
\_ $untaint =~ s/\]//g;
\_ $untaint =~ s/\[//g;
\_ $untaint =~ s/\'//g;
\_ $untaint =~ s/\"//g;
\_ $untaint =~ s/\,//g;
\_
\_ $untaint =~ /^(.*)$/s;
\_ $untaint = $1;
\_
\_ return($untaint); }
\_
\_ These two lines
\_
\_ $untaint =~ /^(.*)$/s;
\_ $untaint = $1;
\_
\_ are what actually remove the taint flag from
\_ the variable. The other lines are just removing
\_ "questionable" characters (e.g. shell metacharacters)
\_ from the variable.
\_
\_ Tony
why not cast
$untaint =~ s/\.\.|[]+;&|<>?*'",]//go;
$untaint =~ /^(.*)$/s;
$untaint = $1;
and get them in one swell foop? (YMMV on actual syntax....)
Well, other than clarity; but that's what comments are for. :-)
David
More information about the Phoenix-pm
mailing list