Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.

Re3: Using-T and Untainting SQL

by PotPieMan (Hermit)
on Apr 29, 2002 at 18:55 UTC ( [id://162898] : note . print w/replies, xml ) Need Help??

in reply to Re: Re: Using-T and Untainting SQL
in thread Using-T and Untainting SQL

Take this as an example:
my $username = $query->('username'); # Do some input validation if necessary # DBI code my $sql = "SELECT * FROM users WHERE username = ?"; ... $sth->execute($username);
(Note: There are other ways of specifying values for placeholders and binding values, as it is referred to in the DBI documentation.)

If a mailicious user were to pass in PotPieMan; DROP TABLE users for the username, the DBI module would parse this as the following: SELECT * FROM users WHERE username = 'PotPieMan; DROP TABLE users';

and (most likely) return 0 rows. The point is that you, the programmer, have to worry A LOT LESS about getting every posssible case of SQL exploitation covered.


Replies are listed 'Best First'.
Re: Re3: Using-T and Untainting SQL
by sdyates (Scribe) on Apr 30, 2002 at 20:02 UTC

    Very well put!

    I can see why placeholders are very important. I have changed most of my code over to use placeholders. I have seen the light and under stand why it is important.

    So there is no big push to use Taint? From what I have read, Taint can invlove a bit of work and cause disruptions if not set up properly.


      Taint mode makes your script as safe as possible because it makes you more paranoid about the data coming into your script. You should still put taint on your TO DO list, but you should be okay without it. This is, of course, assuming that you aren't making any system calls in your scripts (using backticks, system, exec, or any of the other means of calling an external file).

      Unfortunately, I couldn't find any good nodes on taint mode here, but I'll try and look some more. I did find the following: