Front page | perl.dbi.users |
Postings from March 2008
Hi. I use DBI and DBD::mysql (both up-to-date versions from cpan) in a mod_perl application. When constructing the SQL statements I 1) untaint the vars used to concat the actual statements 2) use (partly tainted) vars in bind_param() and execute(). In the eternal struggle for more security I tried to use Taint => 1 in my database connect now. Unfortunately using tainted vars in bind_param() and execute() results in Taint errors. Since I dont want to excessively filter the vars I use in my binds, the only solution would be to blindly untaint the bound vars. Is there a reason for the taint check of the bound params? Would there be any security risk in doing a $x =~ /^(.*?)$/; $x = $1; for the bound params? If not, why does DBI taint check them? How should I proceed? I appreciate any help. Thanks in advance. HendrikThread Next