in reply to Security?
As a general rule it's safer to remove anything that doesn't match a safe pattern, rather than anything that matches an unsafe pattern. There is even an old CERT warning about this with examples in several languages, including Perl.
Typically the best thing to do is run Perl in Taint mode (sometimes annoying on NT/IIS) and carefully de-taint your input data. As Abigail-II says though if it's not clear the next coder could removed it if they don't understand it.
For example, this de-taints the data, and only allows though data made up of: dashes; alpha-numerics; white-spaces and the at-symbol.
$output = $1 if ($input =~ /^([-\w\s\@]+)$/);
See also:
- Ovid's CGI Course: CGI Security
- Perl Training Australia: Perl CGI (PDF) Chapter six
--
ajt
In Section
Seekers of Perl Wisdom