Would it be possible for DBI to have a TaintInput attribute, similar to its current |Taint| one, but only checking incoming data, without tainting data coming from the DB?
Bugzilla currently has all its SQL calls done via in its own function (SendSQL), which (among other things) tests if the passed in string is tainted using the is_tainted function given in the perlsec pod. Using one function inside Bugzilla for all SQL calls has flexibility problems (for example, it currently only uses prepare/execute/fetchall_array internally, even when other functions would be better). The problem with DBI's current taint attribute is that Bugzilla trusts the database itself (since thats all which we are protecting, theres not much point in not doing so), we just want to be careful that we don't pass unquoted/unsanitised strings to the database. Tainting the output values means that if we want to use the results from the db in another query, we have problems, and manually detainting every second SQL call is painful. The alternative is to subclass the DBI (Which I plan on doing anyway, for other reasons). Is it guaranteed that if I override |prepare|, all the calls to do/select*_*/etc will pass through |prepare| at some point? Bradley
