When your code is untainting $argv[1] after the tainted value has been copied into $data{'email'}, why would you expect the database interaction to change? I believe that you need to untaint $data{'email'} , since that's your input to the database.
I switched your code over to SQLite to try it myself; unfortunately, even with the code you posted (except for the switch to SQLite), both CRID and TEST gave me 5. So I cannot test that portion for you. But if you add debug prints of the taintedness of both after you believe you are untainted, you will see
... snippet ...
# here, you untainted the argv[1], but not the hash value!
if ($argv[1] =~ /^(.+\@.+\..+)$/) {
$argv[1] = $1;
say "Looking while Untainted...";
say "EMAIL: $argv[1]";
say __LINE__, ": argv is ", (tainted($argv[1])?'':'not ', "tainted
+");
# edit: uncomment here to untaint the hash value as well
#$data{'email'} = $argv[1];
}
say "argv is ", (tainted($argv[1])?'':'not ', "tainted");
say "data{email} is ", tainted($data{'email'})?'':'not ', "tainted";
... snippet ...
__END__
With the line commented, as shown: C:\usr\local\share\PassThru\perl\perlmonks>perl -T pm11135636.pl "" fo
+o@bar.com
Content-type: text/plain
Perl: 5.030000
Database: SQLite 3.26.0
Driver: SQLite
DBI Ver: 1.642
DBD::SQLite Ver: 1.62
Email is tainted
Tainted...
EMAIL: foo@bar.com
Untainted...
EMAIL: foo@bar.com
argv is not tainted
data{email} is tainted
CRID: 5
TEST: 5
With the line uncommented, so it untaints: C:\usr\local\share\PassThru\perl\perlmonks>perl -T pm11135636.pl "" fo
+o@bar.com
Content-type: text/plain
Perl: 5.030000
Database: SQLite 3.26.0
Driver: SQLite
DBI Ver: 1.642
DBD::SQLite Ver: 1.62
Email is tainted
Tainted...
EMAIL: foo@bar.com
Untainted...
EMAIL: foo@bar.com
argv is not tainted
data{email} is not tainted
CRID: 5
TEST: 5
|