Listing 2 Code added into the example CGI script to untaint the query string data

# Untaint $val since it's going to be passed to the shell. The regular
# expression match being performed here returns TRUE only if $val
# consists entirely of these characters:  A-Z, a-z, # -, @, and '.'.
# If $val consists entirely of these characters, then $1 is set by the
# regular expression match to the value that matched.  Since $1 is the
# result of a regular expression match, it is considered "laundered".
# Set $val to $1, and now $val is laundered.
#
if ($val =~ /^([\w+\-@\.]*)$/)
  {
    $val = $1;
  }
else
  {
    die "Bad value for parm = $val";
  }