So I've been experimenting with Tony Bowden's excellent CGI::Untaint module that can be used to automate the process of extracting verified data from CGI requests. This is making our lives so much easier for us at work for some of stuff we're up to at the moment.
One of the things you can do with this module is define your own "local extraction handlers" which are tiny four line modules that know how to extract data from a string for a particular type. For example, you can get ones for making sure the data is all digits, or ones for getting valid urls.
Of course, writing new local extraction handlers involves writing regular expressions. And as anyone knows, it's quite hard to write a complex regular expression and guarantee it's right - every once in a while you make a stupid mistake, so you have to check your work. The only real way to avoid this is to test your data. And that's where the module comes in: It's a Test::Builder compatible testing tool that can be used to test if the local extraction handler extracts the right thing from a string or rejects the string outright.
This is Profero's first open source module that we've uploaded to to CPAN, and I'm really happy that in addition to helping promote Perl we've finally released something of our own. Hopefully it'll be the first of many.
Re:How about tainting?
2shortplanks on 2003-02-05T15:07:14
No, it doesn't - luckly I didn't have to deal with that.Any data that is extracted by a local extraction handler has to have run though a regular expression and therefore has to be untainted (at least in the -T sense of the word.)
