Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re^13: Recalcitrant placeholders

by pryrt (Abbot)
on Aug 05, 2021 at 23:59 UTC ( [id://11135637]=note: print w/replies, xml ) Need Help??


in reply to Re^12: Recalcitrant placeholders
in thread Recalcitrant placeholders

When your code is untainting $argv[1] after the tainted value has been copied into $data{'email'}, why would you expect the database interaction to change? I believe that you need to untaint $data{'email'} , since that's your input to the database.

I switched your code over to SQLite to try it myself; unfortunately, even with the code you posted (except for the switch to SQLite), both CRID and TEST gave me 5. So I cannot test that portion for you. But if you add debug prints of the taintedness of both after you believe you are untainted, you will see 

... snippet ...
# here, you untainted the argv[1], but not the hash value!
if ($argv[1] =~ /^(.+\@.+\..+)$/) {
    $argv[1] = $1;

    say "Looking while Untainted...";
    say "EMAIL: $argv[1]";
    say __LINE__, ": argv is ", (tainted($argv[1])?'':'not ', "tainted
+");

    # edit: uncomment here to untaint the hash value as well
    #$data{'email'} = $argv[1];
}
say "argv is ", (tainted($argv[1])?'':'not ', "tainted");
say "data{email} is ", tainted($data{'email'})?'':'not ', "tainted";
... snippet ...
__END__

[download]

With the line commented, as shown: 

C:\usr\local\share\PassThru\perl\perlmonks>perl -T pm11135636.pl "" fo
+o@bar.com
Content-type: text/plain

Perl: 5.030000
Database: SQLite 3.26.0
Driver: SQLite
DBI Ver: 1.642
DBD::SQLite Ver: 1.62
Email is tainted
Tainted...
EMAIL: foo@bar.com
Untainted...
EMAIL: foo@bar.com
argv is not tainted
data{email} is tainted
CRID:  5
TEST:  5

[download]

With the line uncommented, so it untaints:

C:\usr\local\share\PassThru\perl\perlmonks>perl -T pm11135636.pl "" fo
+o@bar.com
Content-type: text/plain

Perl: 5.030000
Database: SQLite 3.26.0
Driver: SQLite
DBI Ver: 1.642
DBD::SQLite Ver: 1.62
Email is tainted
Tainted...
EMAIL: foo@bar.com
Untainted...
EMAIL: foo@bar.com
argv is not tainted
data{email} is not tainted
CRID:  5
TEST:  5

[download]

Replies are listed 'Best First'.
Re^14: Recalcitrant placeholders
by Bod (Parson) on Aug 06, 2021 at 13:14 UTC
    When your code is untainting $argv1 after the tainted value has been copied into $data{'email'}, why would you expect the database interaction to change?

    That was rather stupid of me wasn't it?!?
    No answer required...

    That's what comes of trying to do something quickly last thing at night before bed. A combination of tiredness and rushing is always bound to lead to stupid mistakes. I should know this...

[reply]
Re^14: Recalcitrant placeholders
by Bod (Parson) on Aug 08, 2021 at 18:29 UTC

    When I untaint the correct variable I get what I expected... 

    Perl: 5.016003
Database: MySQL 10.2.40-MariaDB
Driver: mysql
DBI Ver: 1.643
DBD::mysql Ver: 4.050
Email is tainted
Tainted...
EMAIL: foo@bar.com
Untainted...
EMAIL: foo@bar.com
CRID:  5
TEST:  5

    [download]

[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://11135637]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (2)
As of 2024-04-20 04:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found