Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister

Untainting input to CGI::Application

by ghettofinger (Monk)
on May 18, 2005 at 18:46 UTC ( #458388=perlquestion: print w/replies, xml ) Need Help??
ghettofinger has asked for the wisdom of the Perl Monks concerning the following question:

Hello everyone,

I have put together quite a few pages using CGI and HTML::Template and I really like it. It works. When I took the little perl knowledge that I had and comined it with Ovid's CGI Course I felt that I had a simple and secure application. I am trying to expand my sites and add more functionality so I have decided to start using CGI::Application. This is a realy cool module and fun to use. I have an issue though. I am not sure how I can untaint input from users. Take the following for example:

sub login{ my $self = shift; my ($nick, $pass) = @_; my $session = $self->param('session'); if(defined $nick and defined $pass){ if($nick eq $pass){ #REPLACE THIS WITH A REAL CHECK!!!! #DO STUFF }else{ #DO OTHER THINGS } }

I have been using CGI::Untaint when I was using just CGI, but now that I am modularizing the site, I am not sure how to go about this. Should I be looking to "$self" and asking for $nick and $pass and then untaint them? Is there a better way to do this now the I am using CGI::Application?

My thanks to all,

Replies are listed 'Best First'.
Re: Untainting input to CGI::Application
by dragonchild (Archbishop) on May 18, 2005 at 18:58 UTC
    CGI::Application is meant to be subclassed. This means that you're supposed to write a class that uses it as a starting point. When I write C::A apps, I actually have 2-3 levels of baseclasses. The first one is my global baseclass. It's my version of what C::A should do. This includes providing a print() method that dispatches between HTML::Template, Excel::Template, and PDF::Template. I see no reason why you shouldn't go ahead and provide a param()-type method in your global baseclass that will untaint the parameters as you need them. You could even link it with CGI::Untaint as so:
    sub cgiapp_prerun { my $self = shift; $self->param( handler => CGI::Untaint->new( $self->query->Vars ) ) +; return $self->SUPER::prerun( @_ ); } sub extract { my $self = shift; my ($method, $name) = @_; my $handler = $self->param( 'taint_handler' ); return $handler->extract( $method => $name ); }
    Now, your calls to $self->extract() are wrappers around CGI::Untaint's extract(). Done.

    • In general, if you think something isn't in Perl, try it out, because it usually is. :-)
    • "What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?"
Re: Untainting input to CGI::Application
by edan (Curate) on May 18, 2005 at 18:56 UTC
Re: Untainting input to CGI::Application
by Joost (Canon) on May 18, 2005 at 18:59 UTC

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://458388]
Approved by bmann
[GotToBTru]: okay, that is there in the text, not in literal use in any of the examples
[GotToBTru]: the text suggest it is redundant before @
[LanX]: propably ... I also notice new stuff

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (7)
As of 2017-01-18 21:20 GMT
Find Nodes?
    Voting Booth?
    Do you watch meteor showers?

    Results (164 votes). Check out past polls.