in reply to Re: writing a "CGI::Taint" module
in thread writing a "CGI::Taint" module

My point being that this is a specific case where data is output to the browser, hence CGI. Of course, there's also the issue of templating systems, so valid point about DBI storage as well.

Perhaps then, an extension to DBI that wouldn't let you store tainted data would be useful, along with some pre-defined methods to untaint data - eg, (1) strip all html markup, (2) strip all html markup except for specified tags (a la HTML::TagFilter), (3) escape all html markup. 

use DBI;
use DBI::Taint;

[download]

Hmm, still only a germ of an idea...

cLive ;-)

Replies are listed 'Best First'.
Re: Re: Re: writing a "CGI::Taint" module
by diotalevi (Canon) on Jul 12, 2003 at 22:46 UTC

    Revisit your DBI documentation. While data tainting in DBI isn't officially finalized (per the documentation), it certainly exists right now. Also, see my other post for info on preventing tainted data from going out to STDOUT.

    DBI->connect('dbi:...', ... {
    Taint => 1,
    TaintOut => 1,
    TaintIn => 1 })

    [download]
[reply]
[d/l]

In Section Meditations