http://qs321.pair.com?node_id=458388

ghettofinger has asked for the wisdom of the Perl Monks concerning the following question:

Hello everyone,

I have put together quite a few pages using CGI and HTML::Template and I really like it. It works. When I took the little perl knowledge that I had and comined it with Ovid's CGI Course I felt that I had a simple and secure application. I am trying to expand my sites and add more functionality so I have decided to start using CGI::Application. This is a realy cool module and fun to use. I have an issue though. I am not sure how I can untaint input from users. Take the following for example:

sub login{ my $self = shift; my ($nick, $pass) = @_; my $session = $self->param('session'); if(defined $nick and defined $pass){ if($nick eq $pass){ #REPLACE THIS WITH A REAL CHECK!!!! #DO STUFF }else{ #DO OTHER THINGS } }

I have been using CGI::Untaint when I was using just CGI, but now that I am modularizing the site, I am not sure how to go about this. Should I be looking to "$self" and asking for $nick and $pass and then untaint them? Is there a better way to do this now the I am using CGI::Application?

My thanks to all,
ghettofinger

Replies are listed 'Best First'.
Re: Untainting input to CGI::Application
by dragonchild (Archbishop) on May 18, 2005 at 18:58 UTC
    CGI::Application is meant to be subclassed. This means that you're supposed to write a class that uses it as a starting point. When I write C::A apps, I actually have 2-3 levels of baseclasses. The first one is my global baseclass. It's my version of what C::A should do. This includes providing a print() method that dispatches between HTML::Template, Excel::Template, and PDF::Template. I see no reason why you shouldn't go ahead and provide a param()-type method in your global baseclass that will untaint the parameters as you need them. You could even link it with CGI::Untaint as so:
    sub cgiapp_prerun { my $self = shift; $self->param( handler => CGI::Untaint->new( $self->query->Vars ) ) +; return $self->SUPER::prerun( @_ ); } sub extract { my $self = shift; my ($method, $name) = @_; my $handler = $self->param( 'taint_handler' ); return $handler->extract( $method => $name ); }
    Now, your calls to $self->extract() are wrappers around CGI::Untaint's extract(). Done.

    • In general, if you think something isn't in Perl, try it out, because it usually is. :-)
    • "What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?"
Re: Untainting input to CGI::Application
by edan (Curate) on May 18, 2005 at 18:56 UTC
Re: Untainting input to CGI::Application
by Joost (Canon) on May 18, 2005 at 18:59 UTC