Hi,
I have my script running in taint mode. I found
CGI::Application::ValidateRM module very useful and tried to take advantage
of it and its untaiting capabilities.
Here is a simple example:
==============================================================
use CGI::Application::ValidateRM;
# [...]
$profile = {required => 'USER',
constraint => {
'USER' => 'login'
},
untaint_constraint_fields => [qw|USER|],
validator_packages => [qw|My::Constraints|] # with match_login definition
};
my ($res, $err_page) = $self->check_rm('login', $profile);
# My match_login looks like:
sub match_login {
my $login = shift;
if ($login =~ /^([\d\w]{3,10})$/) {
return $1;
} else {
return undef;
}
}
==============================================================
Validation is successful. After that I try to execute DBI fetch procedure
with binding variables:
$res = $dbh->selectall_arrayref($sth, {}, $self->query->param('USER'));
And script complains, that $self->query->param('USER') is tainted.
Why?
I will appreciate any help.
Best regards,
Wojciech Pietron
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
