Don't ask to ask, just ask | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
... I thought about it, then added #!/usr/bin/perl -Tw at the top of the white board, turning on taint-checking for the entire script. Anything more? Nope -- I had no more ideas. Erm, but... you would have understood already that by turning on taint checking, you need to do stuff like "run the form data through a regex", because that is what it takes to untaint the tainted data. So either the person was simply making a point that your reference to taint-checking was an incomplete answer (did you forget to say why it helps to add "-T" and what else needs to be done once you add it?), or else the person didn't really understand the concept of taint-checking (which means you really should have given a complete answer about it in the first place). And for someone else to add a comment about inadequate quoting in "some" DBD modules is kind of a non-sequitur, not directly related to taint checking. It would have been nice to have the presence of mind to say "which DBD modules are you thinking of, in particular, and did you observe specific cases?", but it's worthwhile to consider that if the "sanitizing" logic for passing the taint-check is not sufficiently careful, one can still face sql injections (or at least embarrassing errors) using "untainted" strings. Hence the need for placeholders in addition to taint-checking. And "passing strings through a regex" is too vague to qualify as a "solution"; it's generally better (when possible) to handle taint-checking with things like hash-key lookups or similar tests against trusted data. Expectations for CGI parameter values should be as specific as possible. (updated to fix a minor grammar glitch) In reply to Re: Preventing SQL injection attacks: are -T and placeholders not enough?
by graff
|
|