Re^2: Taint mode and DBI

Replies are listed 'Best First'.
Re^3: Taint mode and DBI by CountZero (Bishop) on Jan 19, 2015 at 10:46 UTC
It all depends where your data are coming from. If the data you put in the database is not fully trusted then you should use taint mode and untaint them to make sure they fall within the limits of what is acceptable. Then you pass them to the database using placeholders. If your untainting is comprehensive then the placeholders are probably superfluous, but I find using placeholders in any case more clear and easy. CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James My blog: Imperial Deltronics	[reply]
Re^3: Taint mode and DBI by Discipulus (Canon) on Jan 19, 2015 at 11:03 UTC
i'm not a master of DBI nor a Taint one, but you should understand the distinction between them. you MUST use placeholders when DBI is involved. is a good practice should never be avoided even if you are the only user of the application, in my opinion and experience. Taint mode is whole another story. it assume that all, and i say all, input coming from outside the source code of your Perl program is evil. Evilness is viral so if you mix presumed-evil-data with other data the result is another evil-presumed data. Taint mode is explained also in Modern Perl. HtH L* There are no rules, there are no thumbs.. Reinvent the wheel, then learn The Wheel; may be one day you reinvent one of THE WHEELS.	[reply] [d/l]