When writing anything bound for CGI use, you should invoke it with the -T (taint) option, as it will tell you what data has been presented by the user, and which operations will be potentally bad (such as what you have above).

CGI.pm has no provisions for this, as it highly recommends staying to the param() function.

A better solution in your case is to create an array of allowed variable names, and then only read variable names from the form that are in this group, eg:

my @safe_vars = qw( name address phone age );
...
@names = $q->param;
foreach $name(@names){
    if ( grep { $_ eq $name } @safe_vars ) {
        $$name=$q->param($name);
        #print $name, ': ', $$name, '<BR>';
    }
}
[download]

(TMTOWTDI, of course, but the general idea is there).

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.