As stated earlier taint mode is about the easiest way to help you pin point bad data. Regex is the best way to untaint it; just remember that your expression should state what you want to allow not what you want to exclude. Always use strict.

Security is also large part of the system administrator. So for one apache should execute your cgi script as nobody. This will minimize the amount of damage that the security holes may cause. Additionally, its always a good idea to restrict the access to your scripts to be only executed by an allowed http referer.

I suggest always to try yourself first.... its always a good learning experience and then look at competitors products they may shed some light into how to improve and lock down security in your script.

Being concerned about security is always good. Remember that no script is perfect (especially when they are complex) the idea behind security is to minimize known risks and then to fix other risks as you find them. Its always a learning process.

Good Luck.

kha0z -- www.kha0z.net