Clear questions and runnable code get the best and fastest answer |
|
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
When writing anything bound for CGI use, you should invoke it with the -T (taint) option, as it will tell you what data has been presented by the user, and which operations will be potentally bad (such as what you have above).
CGI.pm has no provisions for this, as it highly recommends staying to the param() function. A better solution in your case is to create an array of allowed variable names, and then only read variable names from the form that are in this group, eg: (TMTOWTDI, of course, but the general idea is there).
-----------------------------------------------------
In reply to Re: Web form security
by Masem
|
|