sent a customer a Barbie doll instead of the Sony PlayStation he ordered, and rather than praise, this soon-to-be-former customer has a different message for you. In the e-mail address field, he types ‘rm *’. Your script, after reading the user input into a variable $email, reasonably enough sends a response: open MAIL, “|$SENDMAIL $email” or die $!; (We’ll talk about better ways of signaling errors shortly.) Net result: Chaos. If you’re running on DOS instead, don’t think you’re safe; that user could have entered ;erase*.*. What you need to do is check the e-mail address that’s been entered and make sure it won’t cause that kind of problem. Now, suppose we assume for a moment that valid e-mail addresses match the pattern w[w*%.:-]*@w[w.-]*w (That’s not quite true, but it’ll do for our example.) After setting $email from the user input, we could massage it: ($email) = $email =~ /(w[w*%.:-]*@w[w.-]*w)/; unless ($email) { # Code to handle no valid email being entered } From the user’s input, we extracted an e-mail address that won’t cause any nasty side effects when passed to our mail program. If we don’t find anything in the input matching that, we can treat it as if nothing at all was entered. You might also choose to compare the result of the match with what they entered, and if they differ, grumble about a “nonstandard” address being entered. Before you use that language, however, consider this caveat: the preceding pattern is a grossly simplified version of what it really takes to match a valid e-mail address. The RFC 822 standard (http://www.ietf.org/rfc/rfc0822.txt) specifies a complicated syntax that includes several ways of embedding comments that are arguably not part of the address at all and unlikely to be entered by a user in a Web form. A regular expression to match it is more than 6K in length and is the tour de force conclusion of Jeffrey Friedl’s seminal book, Mastering Regular Expressions (O’Reilly, 1997). A slighly shorter and somewhat more practical approach is contained in Chapter 9 of the second edition of CGI Programmming with Perl by Scott Guelich, Shishir Gundavaram, and Gunther Birznieks (O’Reilly, 2000), but even this book acknowledges that its algorithm’s value is principally instructional. (It doesn’t confirm that the address can receive e-mail; only an attempt to send mail there can do that.) What taint mode does is force you to launder input data as we just described. Any data that comes from outside your program including even environment variables or directory listings has associated with it a special flag that marks it as tainted. Any attempt to use tainted data to affect something outside of your program such as input to an external program results in a run-time exception before that can happen. (The error will mention an “insecure dependency.”) And if you use a tainted variable in an expression that is assigned to another variable, that variable becomes tainted too.
Note: If you are looking for best hosting provider to host and run your tomcat application check Astra tomcat hosting services