I was looking at some code of mine and it seems that there is a potential for a
problem here that I wasn't aware of.
I'm using CGI and DBI together and found that I can do the following under Taint
just fine.
my $username = $q->param('username');
and later one...
my $sql = "select .. from .. where username = '$username'";
my $ref = $dbh->selectrow_arrayref($sql)
with out any complaints.
I would have expected this to require me to do something to untaint the value in
$username.
Doesn't this lead to SQL injections?
Or is that only on update/insert/delete queries instead of select.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
