PE
Perl Security
Perl security practices: taint mode, input validation, and safe system calls
Details
Language / Topic
PerlCategory
Security
Rules
balanced
- Enable taint mode with `perl -T` for scripts that process external input — it propagates taint through operations and forces explicit sanitization.
- Use `DBI` with placeholders (`$sth = $dbh->prepare('SELECT * FROM t WHERE id = ?'); $sth->execute($id)`) — never interpolate variables into SQL strings.
- Avoid `system()`, `exec()`, and backticks with user-supplied input — use the list form `system($cmd, @args)` to prevent shell injection.
- Untaint external data with a pattern match that extracts only known-safe characters: `($safe) = ($tainted =~ /^([\w.-]+)$/)` — never use `/.*/` to untaint.
- Use `CGI::Tiny` or `Plack` for web input handling — never hand-parse `$ENV{QUERY_STRING}` or `$ENV{HTTP_*}` variables.
- Store secrets in environment variables read with `$ENV{SECRET_KEY}` — never hardcode credentials or keys in Perl source.
- Use `Crypt::Bcrypt` or `Crypt::Argon2` for password hashing — never use `MD5`, `SHA1`, or unslated `SHA256` for passwords.