While CGI::Untaint would be good for untainting a mass of variables. It is basicaly more like data validation. To me after looking at CGI::Untaint's documentation it bears a resemblance to a very basic version of Data::FormValidator and is obsoleted by it. Data::FormValidator can be given a regex as a rule to check the input value of a form field. For example:
use strict;
use CGI;
use Data::FormValidator;
my $q = new CGI;
# hashref of data
my $UnsafeData = $q->Vars;
my $validator = new Data::FormValidator( "input_profiles.pl" );
my ( $valid, $missing, $invalid, $unknown ) = $validator->validate( $
+UnsafeData, "customer_infos" );
An example of input_profiles.pl taken from the documentation
{
customer_infos => {
optional =>
[ qw( company fax country password password_con
+firmation file_path) ],
required =>
[ qw( fullname phone email address) ],
required_regexp => '/city|state|zipcode/',
optional_regexp => '/_province$/',
constraints =>
{
file_path => '/([-\w.\/]*)/',
email => "email",
fax => "american_phone",
phone => "american_phone",
zipcode => '/^\s*\d{5}(?:[-]\d{4})?\s*$
+/',
state => "state",
},
constraint_regexp_map => {
'/_postcode$/' => 'postcode',
'/_province$/' => 'province,
},
dependency_groups => {
password_group => [qw/password password_confirm
+ation/]
}
defaults => {
country => "USA",
},
}
}
The data in $valid is now considered untainted and all unexpected fields are put in $unknown as an array ref. Read the documentation on Data::FormValidator as this module will not only allow you to set the rules of the data coming in but also weed out the data that you don't want.
BMaximus |