Curtis Poe wrote:
: How do you know if the untainting succeeded? Since you are assinging back to the
:same variable
: (unless you have an else that you didn't show us). I like to assign to a 'dirty'
:variable and
: then untaint to a clean one. This is a lot safer. If a maintenance programmer
:comes along and
: removes the 'else', then you have a security issue. This will do what you want (if
:I understood
: you correctly):
:
: my ( $data ) = ( $dirty_data =~ /^([-@w.:+, ]+)$/ );
:
: Note that a character class does not respect metacharacters like a normal regex.
:You don't need
: to escape most characters.
You still need the backslash for \w. Otherwise it matches only the
letter w.
In fact the above regex throws a fatal error in 5.6.0: "In string,
@w now must be written as \@w"; i.e., it thinks you're trying to
interpolate the array @w. So maybe it would be safer to backslash
the @ anyway, in case a letter follows it.
-- tdk
