Re: Re: Tainted or bad characters

Just to expand on TMH's post. For instance passing a string containing ";" to a shell is a bad idea, but taking that same string and pushing it to a file that is used as a faq is not. tainted means different things to different outputs, imagine someone being able to push cascade deletes in a sql statment or ":" to data that is to be written in a /etc/passwd file. Perl's view of tainted data is anything that comes from the end user that is not checked to verify the string. Real Life tainted data is data that is not checked to verify "good" behavior in is destination.

-Waswas

Comment on Re: Re: Tainted or bad characters

Replies are listed 'Best First'.
Re: Re: Re: Tainted or bad characters by Anonymous Monk on Jul 28, 2003 at 22:21 UTC
This was most helpful. I was looking for a magic bullet, but , as always, it's more complicated than originally thought. To clarify, I use the data to send out as an email or store in a MySQL db for later display or manipulation. I love the quick help I get here at the monastery.	[reply]
Re: Re: Re: Re: Tainted or bad characters by diotalevi (Canon) on Jul 28, 2003 at 22:33 UTC
Ok, just be sure you're using placeholders so your external data doesn't ever become part of the SQL command. See the DBI documentation for more on that.	[reply]