in reply to Re: Re: CGI question: untainting a lot of variables
in thread CGI question: untainting a lot of variables

While CGI::Untaint would be good for untainting a mass of variables. It is basicaly more like data validation. To me after looking at CGI::Untaint's documentation it bears a resemblance to a very basic version of Data::FormValidator and is obsoleted by it. Data::FormValidator can be given a regex as a rule to check the input value of a form field. For example:
use strict; use CGI; use Data::FormValidator; my $q = new CGI; # hashref of data my $UnsafeData = $q->Vars; my $validator = new Data::FormValidator( "" ); my ( $valid, $missing, $invalid, $unknown ) = $validator->validate( $ +UnsafeData, "customer_infos" );
An example of taken from the documentation
{ customer_infos => { optional => [ qw( company fax country password password_con +firmation file_path) ], required => [ qw( fullname phone email address) ], required_regexp => '/city|state|zipcode/', optional_regexp => '/_province$/', constraints => { file_path => '/([-\w.\/]*)/', email => "email", fax => "american_phone", phone => "american_phone", zipcode => '/^\s*\d{5}(?:[-]\d{4})?\s*$ +/', state => "state", }, constraint_regexp_map => { '/_postcode$/' => 'postcode', '/_province$/' => 'province, }, dependency_groups => { password_group => [qw/password password_confirm +ation/] } defaults => { country => "USA", }, } }
The data in $valid is now considered untainted and all unexpected fields are put in $unknown as an array ref. Read the documentation on Data::FormValidator as this module will not only allow you to set the rules of the data coming in but also weed out the data that you don't want.