Clear questions and runnable code get the best and fastest answer |
|
PerlMonks |
Re: Web form securityby Masem (Monsignor) |
on Jul 30, 2001 at 17:18 UTC ( [id://100852]=note: print w/replies, xml ) | Need Help?? |
When writing anything bound for CGI use, you should invoke it with the -T (taint) option, as it will tell you what data has been presented by the user, and which operations will be potentally bad (such as what you have above).
CGI.pm has no provisions for this, as it highly recommends staying to the param() function. A better solution in your case is to create an array of allowed variable names, and then only read variable names from the form that are in this group, eg: (TMTOWTDI, of course, but the general idea is there).
-----------------------------------------------------
In Section
Seekers of Perl Wisdom
|
|