----- Original Message -----
From: "Tom Allison" <[EMAIL PROTECTED]>
Newsgroups: perl.beginners
To: "beginners perl" <beginners@perl.org>
Sent: Saturday, March 25, 2006 1:33 PM
Subject: Taint mode and SQL
I was looking at some code of mine and it seems that there is a potential
for a problem here that I wasn't aware of.
I'm using CGI and DBI together and found that I can do the following under
Taint just fine.
my $username = $q->param('username');
and later one...
my $sql = "select .. from .. where username = '$username'";
my $ref = $dbh->selectrow_arrayref($sql)
with out any complaints.
I would have expected this to require me to do something to untaint the
value in $username.
Doesn't this lead to SQL injections?
Or is that only on update/insert/delete queries instead of select.
I don't know if this will be helpful, but here is a column by Randal
Schwartz describing SQL injection attacks.
http://www.stonehenge.com/merlyn/UnixReview/col58.html
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
