Quick & Dirty
So now we have a simple script that validates our parameter. But what if we want to add more, perhaps 20 or 30, or even more. This method of reading each parameter we want soon becomes very laborious and prone to errors. How about we simplify it in a loop and eval it ... great idea!
|
my $cgi = new CGI(); foreach my $name ($cgi->param()) { my $value = $cgi->param($name); eval "\$$name = $value"; } ... die "Invalid parameter" if($action !~ /^[\w\.\-]+$/); |
Hopefully our taint check should spot this. What in amongst the parameter names is a 'rm -rf /'. Better to have a list of know parameters and ignore anything that isn't in the list.