in reply to Essential CGI Security Practices

As far as the CGI::Carp qw/fatalsToBrowser/ goes I would suggest an alternative to removing it altogether. CGI::Carp has had the facility to alter the output message for a quite a while - you can supply a coderef to a subroutine that will be called with the error message and which should print the text of the message to be output - you can set a $DEBUGGING variable to determine whether the actual error message gets output:

use CGI::Carp qw(fatalsToBrowser set_message); use vars qw($DEBUGGING); BEGIN { $DEBUGGING = 1; my $error_handler = sub { my $message = shift; print "<h1>Oooh I got an error</h1>"; print $message if $DEBUGGING; } set_message($error_handler); }

This allows you to easily switch on or off the detailed error messages and means you don't have to take the 'or die' out of potentially hundreds of lines of code.