So using placeholders prevents this from happening? The data is still sent to the db although not through the use of placeholders, but through other variables, cannot the hacker still intercept the information? I think this is where T comes in. I am looking into this right now.

ues I am trying to locate good documentation on the issue... nothing like a good technical doc to sink my teeth into.

Take this as an example:

my $username = $query->('username');
# Do some input validation if necessary

# DBI code
my $sql = "SELECT * FROM users WHERE username = ?";
...
$sth->execute($username);
[download]

(Note: There are other ways of specifying values for placeholders and binding values, as it is referred to in the DBI documentation.)

If a mailicious user were to pass in PotPieMan; DROP TABLE users for the username, the DBI module would parse this as the following: SELECT * FROM users WHERE username = 'PotPieMan; DROP TABLE users';

and (most likely) return 0 rows. The point is that you, the programmer, have to worry A LOT LESS about getting every posssible case of SQL exploitation covered.

--PotPieMan

Very well put!

I can see why placeholders are very important. I have changed most of my code over to use placeholders. I have seen the light and under stand why it is important.

So there is no big push to use Taint? From what I have read, Taint can invlove a bit of work and cause disruptions if not set up properly.

Thanks