On Thu, Feb 5, 2009 at 1:23 AM, Peter J. Holzer <[email protected]> wrote:
> On 2009-02-03 10:06:48 -0800, Douglas Wilson wrote:
>> On Tue, Feb 3, 2009 at 5:47 AM, Deviloper <[email protected]> wrote:
>
> I think this could be understood differently than you probably meant it.
>
> Perl variables are not generally unsafe, and untainting them doesn't
> make them magically safe.
Right. I was just doing the absolute minimum of at least preventing
meta-characters.
>
> or maybe you don't need to untaint at all because the input is only used
> for lookup:
>
> my %quarters = {
> q1 = ['jan', 'feb, 'mar'],
> ...
> q4 = ['oct', 'nov, 'dec'],
> };
> my @months = @{ $quarters{$quarter} };
> unless (@months) {
> die
> }
> for my $month (@months) {
> $sth = $dbh->prepare("select * from ${month}_sales ...");
> }
>
> Here $month is never tainted because it can get only values from your
> program, not from the user. So it is safe to use.
Although $month seems safe, it still has an unsafe dependency
and is therefore still tainted according to perl (though you could
probably be safe in untainting it with /(.*)/ in this case).
