--- Teresa Raymond <[EMAIL PROTECTED]> wrote:
> Curtis,
>
> What part of the code that you posted actually does the untainting?
>
> >Here's one way to grab the data and untaint it in one line:
> >
> > my ( $name ) = ( $q->param('name') =~ /^(\w+)$/ );
> >
> >Note that the parentheses around *both side* of the assignment.
> >Also, you need the parentheses in
> >the regular expression. $name will be undef if it does not untaint.
Hi Teresa,
>From perlsec: "The only way to bypass the tainting mechanism is by referencing
>subpatterns from a
regular expression match."
In Perl, if you are referencing subpatterns and you put parentheses around the entire
expression,
the sub patterns are returned (list context) and are, of course, untainted. For
example:
my ( $a, $b, $c ) = ( '111-222-333' =~ /^(\d+)-(\d+)-(\d+)$/ );
print "$a $b $c";
In the above code, "111 222 333" will be printed. Note that parentheses are also
around the right
side of the expression. The above snippet will not work otherwise.
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
