http://qs321.pair.com?node_id=150637


in reply to Why use taint
in thread Errors in my (simple?) CGI Script!

I'm not sure why you are asserting that all parameters must specifically be untainted. I would tend to agree with Juerd that unless you're using it in a system call, it doesn't pose a security problem. (theguvnor would welcome any enlightenment to the contrary).

On the other hand, I don't understand Juerd's assertion that Perl's tainting is such a problem.

  1. You don't have to run -T if you don't want.
  2. Even when you use it, you only have to untaint those variables that you want to use in system calls.

So I don't know why Juerd is so down on Perl's tainting mechanism...

..Guv

Replies are listed 'Best First'.
Re: Re: Why use taint
by simon.proctor (Vicar) on Mar 10, 2002 at 16:11 UTC
    I think in fairness I was neither asserting or insisting someone use taint. Rather I was expressing that it could be used and voicing a personal opinion that it should. If it wasn't clear enough that it was a matter of opinion only then apologies for any confusion caused.

[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.

In Section Seekers of Perl Wisdom