Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic

Best way to untaint

by Anonymous Monk
on Jun 24, 2004 at 13:19 UTC ( #369342=perlquestion: print w/replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi!, I have two questions:

1) If I have a.cgi which posts to b.cgi, what is the best way to untaint? I have been using this:

param('firstname') =~ /^([a-zA-Z]+)$/; my $u_firstname = $1; param('lastname') =~ /^([a-zA-Z]+)$/; my $u_lastname = $1;
But I see that lastname could have been bogus, in which case I will have u_lastname be the same as u_firstname, when I'd prefer to let the user know what they entered was bogus.

2) If I have 3 cgi's. a posts to b and b posts to c, how can I make a's params available to c?

gratci, me

Replies are listed 'Best First'.
Re: Best way to untaint
by Abigail-II (Bishop) on Jun 24, 2004 at 13:43 UTC
    You should first check if the match succeeds, then do the assignment. Something like:
    die "Horribly" unless param 'firstname' =~ /^([a-zA-Z])+$/; my $u_firstname = $1; die "Horribly" unless param 'lastname' =~ /^([a-zA-Z])+$/; my $u_lastname = $1;

    As for answer 2, a needs to pass its information to b, and b needs to pass that information to c, in whatever form is most convenient to you. Either encoded in the URL (could be in the path, could be in the query (which is what happens if a browser does a GET form request)), or in the body of the request (which is what happens if a browser does a POST form request). Or you could use smoke signals if you have a fire and a smoke receiver.


Re: Best way to untaint
by Tomte (Priest) on Jun 24, 2004 at 13:35 UTC

    1) Always check for success of your match-operators:

    my ($u_firstname, $u_lastname) = ("Bogus", "Bogus"); if (param('firstname') =~ /^([a-zA-Z]+)$/) { $u_firstname = $1; } else { # handle bogus case } if (param('lastname') =~ /^([a-zA-Z]+)$/) { $u_lastname = $1; } else { # handle bogus case }

    2: do you redirect, or do you use internal requests? in both cases appending the parameters that need to be passed on to the query-string of the url you redirect to/process internally should work; if you do internal requests, use LWP::UserAgent and POST the requests with the needed parameters added according to the respective documenation.


    An intellectual is someone whose mind watches itself.
    -- Albert Camus

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://369342]
Approved by Old_Gray_Bear
[davies]: I've just "approved" using syscalls in perl through inline c for at least the third time, but it still appears to me as unapproved. Is this just me?
[LanX]: erix: other side of the pond
[LanX]: davies: same problem
[Corion]: It had been approved as a Perl Monks Discussion. It should now be approvable into SoPW
[choroba]: Approved
[LanX]: hmm aproval doesn't stick after move? Or was it a race condition
[Corion]: I think you need at least one reload after moving before you can approve in the correct section

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (11)
As of 2017-01-16 15:07 GMT
Find Nodes?
    Voting Booth?
    Do you watch meteor showers?

    Results (151 votes). Check out past polls.