Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Untainting input to CGI::Application

by ghettofinger (Monk)
on May 18, 2005 at 18:46 UTC ( #458388=perlquestion: print w/ replies, xml ) Need Help??
ghettofinger has asked for the wisdom of the Perl Monks concerning the following question:

Hello everyone,

I have put together quite a few pages using CGI and HTML::Template and I really like it. It works. When I took the little perl knowledge that I had and comined it with Ovid's CGI Course I felt that I had a simple and secure application. I am trying to expand my sites and add more functionality so I have decided to start using CGI::Application. This is a realy cool module and fun to use. I have an issue though. I am not sure how I can untaint input from users. Take the following for example:

sub login{ my $self = shift; my ($nick, $pass) = @_; my $session = $self->param('session'); if(defined $nick and defined $pass){ if($nick eq $pass){ #REPLACE THIS WITH A REAL CHECK!!!! #DO STUFF }else{ #DO OTHER THINGS } }

I have been using CGI::Untaint when I was using just CGI, but now that I am modularizing the site, I am not sure how to go about this. Should I be looking to "$self" and asking for $nick and $pass and then untaint them? Is there a better way to do this now the I am using CGI::Application?

My thanks to all,
ghettofinger

Comment on Untainting input to CGI::Application
Download Code
Re: Untainting input to CGI::Application
by edan (Curate) on May 18, 2005 at 18:56 UTC
Re: Untainting input to CGI::Application
by dragonchild (Archbishop) on May 18, 2005 at 18:58 UTC
    CGI::Application is meant to be subclassed. This means that you're supposed to write a class that uses it as a starting point. When I write C::A apps, I actually have 2-3 levels of baseclasses. The first one is my global baseclass. It's my version of what C::A should do. This includes providing a print() method that dispatches between HTML::Template, Excel::Template, and PDF::Template. I see no reason why you shouldn't go ahead and provide a param()-type method in your global baseclass that will untaint the parameters as you need them. You could even link it with CGI::Untaint as so:
    sub cgiapp_prerun { my $self = shift; $self->param( handler => CGI::Untaint->new( $self->query->Vars ) ) +; return $self->SUPER::prerun( @_ ); } sub extract { my $self = shift; my ($method, $name) = @_; my $handler = $self->param( 'taint_handler' ); return $handler->extract( $method => $name ); }
    Now, your calls to $self->extract() are wrappers around CGI::Untaint's extract(). Done.

    • In general, if you think something isn't in Perl, try it out, because it usually is. :-)
    • "What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?"
Re: Untainting input to CGI::Application
by Joost (Canon) on May 18, 2005 at 18:59 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://458388]
Approved by bmann
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (4)
As of 2014-08-30 03:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (291 votes), past polls