[Mastering-perl] Chapter 3

[David H. Adler]

hoo hah.

-- 
David H. Adler - <dha at panix.com> - http://www.panix.com/~dha/
Chemistry is easy.  It's just like witchcraft, but with less newt.
	- Willow
-------------- next part --------------
--- 03.taint-checking.pod	2006-12-17 20:52:48.000000000 -0500
+++ 03.taint-checking.pod.rev	2006-12-23 14:11:04.000000000 -0500
@@ -142,7 +142,7 @@
 same thing. It saves the new program then runs it with a real perl
 which it gets from PATH (excluding itself, of course). Taint checking
 is a tool, not a cure. It tells me where I need to do some work. Have
-I said hat enough yet?
+I said that enough yet?
 
 	#!/usr/bin/perl
 	# perl-untaint (rename as just 'perl')
@@ -153,7 +153,7 @@
 	
 	# determine program name. Usually that's the first thing
 	# after the switches (or the '--' which ends switches). This
-	# won't work is the last switch takes an argument, but handling
+	# won't work if the last switch takes an argument, but handling
 	# that is just a matter of work.
 	my( $double ) = grep { $args[$_] eq '--' }  0 .. $#args;
 	my  @single   = grep { $args[$_] =~ m/^-/ } 0 .. $#args;
@@ -274,7 +274,7 @@
 	
 I can't use this in F<.htaccess> files or other, later configurations.
 I have to turn it on for all of mod_perl, meaning that every script
-run through mod_perl, include apparently normal CGI scripts run with
+run through mod_perl, including apparently normal CGI scripts run with
 M<Perl::Run> or M<Perl::Registry>, use it. This might annoy users for
 a bit, but when they get used to the better programming techniques,
 they'll find something else to gripe about.
@@ -476,7 +476,7 @@
 do I know I know them all?
 
 	# American = uncertainty
-	my( $file ) = $ARGV[0] =~ m/([$%;|]+)/i;
+	my( $file ) = $ARGV[0] =~ m/([^$%;|]+)/i;
 
 In some cases, I don't want regular expressions to untaint data. Even
 though I matched the data the way I wanted, I might not intend any of
@@ -642,7 +642,7 @@
 
 	system { $args[0] } @args;
 
-In this form, if C<@arg> is just the single argument C<( "/bin/echo
+In this form, if C<@args> is just the single argument C<( "/bin/echo
 'Hello'" )>, C<system> assumes that the name of the command is the
 whole string. Of course, it fails because there is no command
 C</bin/echo 'Hello'>. Somewhere in my program I need to go back and
@@ -745,7 +745,7 @@
 trust before I use them. Checking and scrubbing the data isn't the
 only answer and I need to program defensively using the other security
 features Perl offers. Even then, taint checking doesn't ensure I'm
-complete safe and I still need to carefully consider the entire
+completely safe and I still need to carefully consider the entire
 security environment just as I would with any other programming.
 
 =head1 Further reading