I'd like to ensure my data isn't tainted and the script isn't exploitable. After reading Untainting Safely and Ovid's CGI Tutorial, I came up with the code at the end of this posting.

If it's not too much touble, can I get some comments on my first attempt at untainting data. Am I missing anything or doing anything risky?

Thanks for your help.

#!/usr/local/bin/perl -wT
.
.
.
sub saveChanges {
   sub untaint {
      # remove any characters except those listed in regex            
+       
      my $s = $_[0];
      $s =~ s/[^\w \-\@\(\)\,\.\/]//g;  # untaint the data
      return $s;
   }

   # only put valid keys in the hash
   my %c = ();
   my @keys = qw(name birthday email phone cell addr1 addr2 ICQ AIM MS
+N Y!);
   foreach my $i (@keys) {
      if ( defined param("$i") && !param("$i") =~ /^\s*$/ ) {
         $c{$i} = untaint( param("$i") );
      }
   }

   # update datafile
   my $tmpFile = $$config{"data"} . ".tmp";
   open (TFILE, ">$tmpFile") or die "Can't open file: $!\n";
   flock (TFILE, 2) or die "Can't lock file: $!\n";
      my $cousins = &readData();  # read the current datafile
      foreach my $cousin ( keys %$cousins ) {
         if ( $cousin eq $c{"name"} ) { $$cousins{"name"} = \%c; }
         print TFILE "\nname :: $cousin\n";
         foreach my $field ( keys %{$$cousins{$cousin}} ) {
            print TFILE "$field :: $$cousins{$cousin}{$field}\n";
         }
      }
   flock(TFILE, 8);
   close(TFILE);
   rename( $tmpFile, $$config{"data"} );
}
[download]

Update: Added first line of the script to the code block. I'm assuming the -T argument runs the script in taint mode.