<html>
<body>
Well, I am following Pierre Trudeau's lead. It is a bilingual
website, made in Canada. Ideally, the website could be
multi-lingual by placing the phrases in a database instead of a flat, two
language text file.<br><br>
<br>
At 03:47 AM 11/04/2012, Tom Legrady wrote:<br>
<blockquote type=cite class=cite cite="">I'm generally dubious of
constructs like "if $language ne 'english'". (Besides, should
be "lc $language") .. are you certain there will never be
another language ... Gernan .. Cree ... <br><br>
On a Hungarian keyboard from Budapest<br><br>
Tom<br><br>
On Mon, Apr 9, 2012 at 6:10 PM, Chris Jones
<<a href="mailto:cj@enersave.ca">cj@enersave.ca</a>> wrote:<br>
<dl>
<dd>So to confirm:<br><br>
<dd>my $language = <data from outside the program>;<br><br>
<dd>my $index = "index.html";<br><br>
<dd>if( $language ne "english" )<br>
<dd>{<br>
<dd> $index =
"indexo.html"<br>
<dd>}<br><br>
<dd># $index is now tainted and<br><br>
<dd><a href="$index"><br><br>
<dd># throws and error when selected by the user<br><br>
<dd>If that summarizes my issue, it certainly explains the problems I
have been having.<br><br>
<dd>A follow on question:<br>
<dd>Is data retrieved from a database considered tainted? The
application uses data retrieved from a mysql database. Would this
data also be considered tainted?<br>
<dd>The program uses DBI, DBD-mysql.<br><br>
<br><br>
<br><br>
<dd>At 11:48 PM 06/04/2012, Liam R E Quin wrote:<br>
<dl>
<dd>On Fri, 2012-04-06 at 21:11 -0400, Chris Jones wrote:<br>
<dd>> Uri<br>
<dd>> Thanks again for your help. I have one question about
untainting<br>
<dd>> then files before opening.<br>
<dd>><br>
<dd>> Would not the split untaint the data:<br>
<dd>> my( $key, $value ) = split /\t/ ;<br><br>
<dd>No.<br><br>
<dd>The only ways to untaint data are to use them as keys in a hash (so
$key<br>
<dd>is OK here, but $value is not) or to pick them out of a regular<br>
<dd>expression match with $1, $2, etc.<br>
<dd>The point of marking input data as tainted is so you can catch
things<br>
<dd>like,<br>
<dd>my ($filename, $info) = split;<br>
<dd>system("ls $filename");<br>
<dd>and have filename be "/etc/group;reboot;" or
something<br><br>
<dd>see "perldoc perlsec" for more info.<br><br>
<dd>><br>
<dd>> As long as there is no bad characters in the data that should
untaint it?<br>
<dd>> Again the input config file contains:<br>
<dd>> infilename ../input<br>
<dd>> outfilename ../output<br>
<dd>><br>
<dd>> If I use:<br>
<dd>> my $outfilename = "$confighash{outfilename}";<br>
<dd>> my $modfilename =
"$outfiilename".".mod"; #add the extension<br>
<dd>><br>
<dd>> Would not $modfilename be untainted?<br>
<dd>no. Also watch for the two i's in outfiilename.<br><br>
<dd>The general principle is that data from outside your program cannot
be<br>
<dd>trusted (whereas data from inside your program _probably_ shouldn't
be<br>
<dd>trusted :-)) and untrusted data must never be allowed to affect
the<br>
<dd>world outside your program. Yes, your data file might be safe,
but what<br>
<dd>if it wasn't? How does Perl know?<br><br>
<dd>[...]<br>
<dd>> Which leads to a question about declaring variable and
scope:<br>
<dd>> my( $key, $value ) = split /\t/ ;<br>
<dd>><br>
<dd>> Are these two variables in scope each time through the
loop? That is<br>
<dd>> why I declared them outside the while loop in my original
version.<br><br>
<dd>They are in scope, yes -- but if you have<br><br>
<dd>while ($sun_shines) {<br>
<dd> my $cider = split;<br>
<dd> . . .<br>
<dd>}<br><br>
<dd>then there's a new $cider made each time around the loop.<br><br>
<dd>Hope that helps.<br><br>
<dd>Liam<br><br>
<dd>--<br>
<dd>Liam Quin - XML Activity Lead, W3C,
<a href="http://www.w3.org/People/Quin/">
http://www.w3.org/People/Quin/</a><br>
<dd>Pictures from old books:
<a href="http://fromoldbooks.org/">http://fromoldbooks.org/</a><br><br>
</dl><br>
<dd>>><br>
<dd>Christopher Jones, P.Eng.<br>
<dd>Suite 1801, 1 Yonge Street<br>
<dd>Toronto, ON M5E1W7<br>
<dd>Tel. <a href="tel:416-203-7465">416-203-7465</a><br>
<dd>Fax. <a href="tel:416-946-1005">416-946-1005</a><br>
<dd>email <a href="mailto:cj@enersave.ca">cj@enersave.ca</a><br><br>
<dd>_______________________________________________<br>
<dd>toronto-pm mailing list<br>
<dd><a href="mailto:toronto-pm@pm.org">toronto-pm@pm.org</a><br>
<dd>
<a href="http://mail.pm.org/mailman/listinfo/toronto-pm" eudora="autourl">
http://mail.pm.org/mailman/listinfo/toronto-pm</a><br>
<br>
</dl></blockquote>
<x-sigsep><p></x-sigsep>
>><br>
Christopher Jones, P.Eng.<br>
Suite 1801, 1 Yonge Street<br>
Toronto, ON M5E1W7<br>
Tel. 416-203-7465<br>
Fax. 416-946-1005<br>
email cj@enersave.ca<br>
</body>
</html>