Administration
AJAX
Apache
BrainDump
DHTML
Flash
Java
JavaScript
Multimedia
MySQL
Oracle
Perl
PHP
Practices
Python
Reviews
Security
Style-Sheets
Web Services
XML
Zend
Zope

Forums Sitemap
IBM® developerWorks
Sun Developer Network

Dedicated Servers
E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Small Business Hosting
Actuate Whitepapers
VeriSign Whitepapers
VPS Hosting

Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

PERL

RSS

Writing Secure CGI Scripts

By: Pete Smith	Search For More Articles! Disclaimer Author Terms
Rating: / 6
2002-05-30

Table of Contents:

Writing Secure CGI Scripts

Why should I care about security?

Shell processing

Untainting data

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

ADVERTISEMENT

Stay one step ahead of the competition. Evaluate and give feedback on some of the hottest web development tools on the market today. Make your opinion heard! Click Here

Writing Secure CGI Scripts - Untainting data

(Page 4 of 4 )

As we've already seen, tainted-ness follows a variable - even if it's value is assigned to another variable. There is, however, one way to untaint data - by matching with a regex.

$something =~ /^([\w.]+)$/;
$cleanvariable = $1;

Here we specify that $something must contain only letters, numbers, underscore, whitespace, or period. The ^ and $ which force the regex to start and finish with one of these 5 characters.

We've also included the [\w.] in braces, allowing us to make use of the $1, $2, $3 etc shortcuts. In our example $1 contains the whole value of $something (assuming it *did* only contain letters, numbers, underscores, white space, or periods).

We can shorten this a little further...

($cleanvariable) = $something =~ /^([\w.]+)$/;

... since the regex returns the $1, $2, $3 etc variables as a list.

The beauty of taint is that it considers all user input to be unsafe by default, but easily allows us to untaint a variable using a simple regex. Forcing us to perform a pattern match on the variable stops lazy habits from putting our security at risk, and makes us think a little more carefully about just what we expect to find in that data: even though it is not a security risk, it is still good practice to reject a telephone number if it contains letters.

At first you will find taint mode rather frustrating - your script will die for so many extra reasons, but after a while you will find it second nature to think secure, and you scripts will be a lot better for it.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: Writing Secure CGI Scripts

>>> Be the FIRST to comment on this article!

PERL ARTICLES

- Perl: More on Lists and Hashes
- Perl: Dimensional Lists
- Perl: A Continuing Look at Hashes and Multid...
- Perl: Another Round with Hashes
- Perl Hashes
- Perl Lists: A Final Look at List::Util
- Perl Lists: Utilizing List::Util
- Perl Lists: The Split() Function
- SQL and CGI with Perl and DBI
- Perl Lists: More Functions and Operators
- SELECT Queries and Perl
- Perl Lists: More on Manipulation
- Creating a Database with Perl and DBI
- Perl: Sailing the List(less) Seas
- Perl and DBI
Find More Perl Articles