No automatic safety feature is a substitute for thinking.

If CGI param()s are tainted (and I believe they are) and you're using the bind params, then I think SQL injection is the least of your worries. It will probably complain if you don't think to check the tainted stuff. And if you test poorly and untaint and it gets passed to DBI ... it probably won't matter because the DBI quoting and bind params should take care of it automatically. I don't believe javascript can change the problem space with respect to SQL injection.

However taint and DBI probably won't help with things like cross site scripting and the remote root hole on some random service you didn't know you had running (if applicable).

-Paul

In reply to Re^3: is this mentality safe? by jettero
in thread is this mentality safe? by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.