my $username = $query->('username');
# Do some input validation if necessary

# DBI code
my $sql = "SELECT * FROM users WHERE username = ?";
...
$sth->execute($username);
[download]

If a mailicious user were to pass in PotPieMan; DROP TABLE users for the username, the DBI module would parse this as the following: SELECT * FROM users WHERE username = 'PotPieMan; DROP TABLE users';

and (most likely) return 0 rows. The point is that you, the programmer, have to worry A LOT LESS about getting every posssible case of SQL exploitation covered.

--PotPieMan

Very well put!

I can see why placeholders are very important. I have changed most of my code over to use placeholders. I have seen the light and under stand why it is important.

So there is no big push to use Taint? From what I have read, Taint can invlove a bit of work and cause disruptions if not set up properly.

Thanks

Taint mode makes your script as safe as possible because it makes you more paranoid about the data coming into your script. You should still put taint on your TO DO list, but you should be okay without it. This is, of course, assuming that you aren't making any system calls in your scripts (using backticks, system, exec, or any of the other means of calling an external file).

Unfortunately, I couldn't find any good nodes on taint mode here, but I'll try and look some more. I did find the following:

• Taint Mode

--PotPieMan