Tracy Hurley wrote:Seems like a tad bit of overkill for my purpose. Thanks for the caveat about other unsafe characters and I'll keep the CGI::Untaint module in mind in the future.
Camilo,
I don't think you need to put $email in quotes to do the check, but it works if you do. Try this:
if $email =~/@.*@/g || $email =~ /\n/s;
It still might not be secure depanding on how $email is being used later. Is it used in a system() call? In open()? In backticks? What about the whitespace? What if there is "\r" in $email? What about ";"? "\0"?
I would suggest to match safe characters, not the unsafe ones, because it's easy to overlook something. Camilo, it's very good that you use the taint mode here. Check out CGI::Untaint::email, this is exactly what you need:
http://search.cpan.org/search?module=CGI::Untaint::email http://search.cpan.org/search?module=CGI::Untaint
It's used like this:
use CGI::Untaint; my $untaint = CGI::Untaint->new($cgiobj->Vars); my $email = $untaint->extract(-as_email => 'email');
You should do the same with other parameters, like name and address. You might need to write your own handler, but it's very easy. Here's an example from the CGI::Untaint documentation, to match a single digit:
package Mysite::CGI::Untaint::digit; use base 'CGI::Untaint::object'; sub _untaint_re { qr/^(\d)$/ } 1;
It seems I needed to escape the backslash in '\n'. Here'smy new code
#!/usr/local/bin/perl -wT
use CGI::Carp qw(fatalsToBrowser);
use strict;
use CGI;
my $cgiobj = new CGI;
$ENV{PATH} = "";#Get parameters
my $name = $cgiobj->param('name');
my $address = $cgiobj->param('address');
my $email = $cgiobj->param('email');
die &Print_Error if $email =~ /@.*@|\\n|;|\0|,/gs;
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
