Gunnar Hjalmarsson wrote:
Michael Kraus wrote:
now I'm wondering what others on this list would recommend regarding CGI::Untaint(?). :)
Didn't know it existed until you mentioned it.
Me either :)
My philosophy, when running a program in taint mode, is that validating form data and untainting are two separate things: I validate much of the
I second that also, the docs say:
"If any of the validation rules change, you often have to alter them in many different places. And, if you want to operate taint-safe, then you're just adding even more headaches."
So if you use this module and it changes you'd probably have to change it in as many places just different places.
data to prevent that my app stores bad data and/or generates bad output, while I only untaint those variables that are used for system interaction.
The (very) quick look I had at the CGI::Untaint POD leaved the impression that it's designed for untainting all CGI data. If that's the case, I have to ask what the point is. Isn't it even more secure to leave user provided data, that are not used in system operations, tainted?
Yeah I think also, why run in taint moe if you just want to untaint it all basically blindly. Just turn off taint mode :)
You still need to validate that the input is what you want, and as Gunner said validation and untainting are better off as seperate things even if they do overlap sometimes in use.
So I think for what it does (as least as far as I understand it form the docs CGI::Validate would be a better name for it...
Just my .02 ;p
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
