note Jaap In stead of blacklisting with <code> $string =~ tr/\x00-\x09\x0b\x0c\x0e-\x1f//d; </code> one should whitelist, allowing certain characters and forbidding the rest: <code> if ($string =~ m/^([a-zA-Z0-9_])$/) { my $safeString = $1; ### also untainted now } </code> Edit:<br> Ok you say that in the Taint part, but i would add it to the "Null btes are scary" part. 417490 417490