Programmers often assume that their script will be used in a particular way and that users will behave as expected. When writing a script, you should always keep in mind that everybody makes mistakes, and some people deliberately try to break things. For example, if your script expects the number 2 but the user types two, what will happen? This is particularly important if you make your scripts available via the Web. You should never trust user input and use it directly for sensitive operations such as opening files or running commands on the server.

Perl has a taint mode that warns you if the script injects user input directly into a sensitive operation. You can turn on the Perl taint mode by adding the -T switch after the path to the Perl interpreter at the top of your script, for example:

#!/usr/bin/perl -T

Unfortunately, this taint mode does not recognize variables passed to the script from a web form via the param() function, so you’ll need to manually check that the user input is what you expect. This is typically performed using regular expressions, where we match a string against a template.

For example, we can ensure that the form variable Age is a number between 10 and 99:

if(param())
{
 if(!(param('Age')=~/^([1-9][0-9])$/))
 {
  print
   font({-color=>'red'}, 'Invalid age:  must be between 10 and 99 inclusive.');
   exit;
 }
 my $user_age = "$1";
 print $user_age;
}

Perl offers some cryptic syntax for regular expressions, but they make the expressions very easy to integrate ...