I finally got off my duff and wrote a module for work that does a much better job of handling CGI data. It's customized to work for how we do things, so rather than having a general purpose tool, I have something that does what I need it to do. Now, rather than worry about the tedious work of grabbing a bunch of form data and untainting all of it, I just list the fields I want, supply regex filters for those fields and I get a hashref of untainted data back. For my first test, I took a program that was about 450 lines of code (over half of that was munging form data) and reduced it down to 150 lines of code.
Curiously, this happens to dovetail nicely with some planned upgrades to CGI::Safe. That particular module, while being well-intentioned, simply is not yet useful enough to generate much interest. Hopefully, this will turn the trick and make Web programming safer. Of course, if anyone is willing to take a look at it and recommend changes necessary to make it work under mod_perl ... (yes, that was a cry for help!). Since we're a Windows shop (slowly migrating to Linux), I've never had the chance to dig deeply into mod_perl. In fact, I only have one mod_perl site that I've ever built and that was for some internal demos.
