After data has been entered into an SSL protected webform and submitted
('post'ed), I want to encrypt the data using PGP (actually GnuPG) and email
it.

As I will use shared webhosting I cannot control the setting of
register_globals= and almost all webhosting companies have this set to =on
for compatibility purposes.

I have a few questions:

1/ Does this mean that there is a greater security risk and an increased
need to thoroughly validate the form's data, including stripping out
certain characters? Isn't this situation somewhat similiar to not calling
Perl using -T (taint mode)?

2/ Once the form's data has been 'post'ed, is it possible/preferable to PGP
encrypt the data directly from memory as opposed to writing (fwrite) the
forms data to a temporary (tempnam) file on disk (which poses a few
security problems)? If yes, what commands should I use? If you prefer to
point me to a particular webpage for more info. that's fine :)

Cheers,
Scrumpy!

Your concerns are valid ones. I think there are even more things to
think about. If security is really an issue, then I think you need more
control over your hosting situation.

No. The only problem with register_globals on is that if you use
uninitialized variables you may get into problems. If you set error
reporting to E_ALL while developing you will get warnings whenever you use
uninitialized variables, and thus it should be possible to avoid this.

If you make sure to use the superglobals $_POST, $_GET etc., and never use
an unitialized variable, your solution will work regardless of the register
globals setting, and not only be more secure, but also more portable.

But obviously, when handling data coming from the user, all the normal
precautions apply.

This depends on the setup, so yes, this is an issue to consider. I guess you
should be able to feed pgp data from stdin (looks like the -f switch is
what you need), but I haven't tried this so I can't guarantee anything, man
pgp :)

Andr N?ss