--- Bill Barrett <[EMAIL PROTECTED]> wrote:
> I really want to keep -T to keep my script completely safe,
> but I simply cannot get the script to completely execute. I am driving
> myself crazy because I don't want to cop out and delete the -T.
>
> I think I'm properly untainting my form variables (I've tried various ways -
> this is one of them):
>
> my $firstName=$q->param('firstName');
>
> if ($firstName =~ /([\w\s\-\.',]+)/) {
> $firstName = $1;
> } else {
> err();
> }
>
> I do this with each piece of data. Then, assuming the person passes the quiz
> I've given, I create an HTML certificate with a few of these
> variables (DOES work with the -T switch), send an email (via sendmail)
> confirming that they passed (does NOT work with -T) and finally
> append the data to a text file (also does NOT work with -T). I don't get
> compile errors - just no emails or file appends!
>
> Apparently Perl is not allowing me to modify files or make the call to
> sendmail; but the documentation is very sparse, and I'm running out of
> ideas. Anyone have advice? Thanks!
>
> [I also seem to vaguely recall a compatibility problem with Perl 5 and
> Solaris 2.8 using -T: can anyone confirm this?]
This, as I recall, is the second time you have asked this. I suspect that no one
replied the
first time is because there is not sufficient information to answer your question,
though I
suppose that we should at least have said that :)
Assuming your regular expression is correct, the following snippet that you sent could
work:
my $firstName=$q->param('firstName');
if ($firstName =~ /([\w\s\-\.',]+)/) {
$firstName = $1;
} else {
err();
}
The problem, however, is what happens when err() is called. Is the script terminated
or not? If
the regular expression succeeds, $firstName will be set to $1. If it fails,
$firstName will
retain its original value. If err() does not halt the program then your code will
continue to run
and your data will be tainted.
That, however, could be a red herring. Are there any error messages in your error
log? Have you
verified that you're getting the data that you intended? If you post a minimal test
case of your
code that replicates the problem, we're much more likely to be able to offer
assistance.
As a further note, here's a somewhat safer way to untaint the data above:
my $_firstName = $q->param( 'firstName' );
my ( $firstName ) = ( $_firstName =~ /^([\w\s\-\.',]+)$/ )
Here's what happens: You have two variables instead of one. The first is tainted and
the second
is clean. If the first one does not untaint, then $firstName is undef. Later, if you
see that
$firstName is undef, you call your error routine. Also note that I have used ^ and $
to bind the
regex to the beginning and end of the string. That's not strictly necessary, but I
like to do
that to see if anyone's trying to enter stuff they shouldn't.
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free!
http://photos.yahoo.com/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
