- Tainting Untainting
I am trying to write code that insure safe input from a form.
This is what I have come up with after a few days of study...
Being that I am a beginner at this I am sure it is quite incomplete,
but I don't know how.
Help? Ideas? Pointers?
# chomps \n's
$value =~ s/\n//g;
# deletes embedded HTML comments - Security measure to prevent subverting
server side includes
$value =~ s/<!--(.|\n)*-->//g;
# Filters out everything not in th is list a-zA-Z0-9\.\-\_\@
$value =~ s/[^a-z0-9\.\-\_\@]//ixg; # i=ignore case x=ignore
whitespace g=all occurances
# Check for email address. if an @ appears, split and reconstitiute as an
if ($value =~ m/@*\./) # email address else
#### This will untaint for -T
$value =~ m/(\S+)\@([\w.-]+)/;
$value = "$1\@$2";
# delete first dashes
while (substr($value,0,1) eq "-")
$value = substr($value,1,(length $value) - 1);
# delete commands system, exec & unlink
if ($value =~ m/system/i || $value =~ m/exec/i || $value =~ m/unlink/i)
FailPage("Unsafe verbage is being used.<BR>Do not use the phrase