<!-- Presentation generated by Internet Assistant for Microsoft PowerPoint 97 -->
<HTML>
<HEAD>
<meta name="GENERATOR" content="Microsoft Internet Assistant for Microsoft PowerPoint 97">
<TITLE>DBI security tainting</TITLE>
</HEAD>
<BODY >
<CENTER>
<TABLE WIDTH=100%>
<TR> <TD WIDTH=100% ALIGN=CENTER>
<A HREF="sld001.htm">First</A>
<A HREF="sld077.htm">Previous</A>
<A HREF="sld079.htm">Next</A>
<A HREF="sld102.htm">Last</A>
<A HREF="index.htm">Index</A>
<A HREF="dbi.perl.org">Home</A>
<A HREF="tsld078.htm">Text</A>
</TD> </TR>
<TR> <TD WIDTH=100% ALIGN=CENTER>
<IMG SRC="img078.gif" usemap="#Objmap" WIDTH=800 HEIGHT=600 BORDER=0>
</TD> </TR>
</TABLE>
<P>Slide 78 of 102</P>
</CENTER>
<!-- <UL>
<H2>DBI security tainting</H2>
</UL></P>
<P><UL>
<LI><H2>By default DBI ignores Perl tainting
</H2>
<UL>
<LI>doesn't taint database data returned out of the DBI
<LI>doesn't check that parameters passed in to the DBI are not tainted
</UL><LI>
</UL><UL>
<LI><H2>The TaintIn and TaintOut attributes enable those behaviours
</H2>
<UL>
<LI>If Perl itself is in taint mode.
<LI>
</UL></UL><UL>
<LI><H2>Each handle has it's own inherited tainting attributes
</H2>
<UL>
<LI>So can be enabled for particular connections and disabled for particular statements, for example:
</UL>$dbh = DBI->connect(
, { Taint => 1 }); # enable TaintIn and TaintOut
<BR>$sth = $dbh->prepare("select * from safe_table");
<BR>$sth->{TaintOut} = 0; # dont taint data from this statement handle
<BR>
</UL><UL>
<LI><H2>Attribute metadata currently varies in degree of tainting
</H2>
<UL>
$sth->{NAME}; generally not tainted
<BR><BR>$dbh->get_info(
); may be tainted if the item of info is fetched from database
</UL></UL><UL>
<H2>.</H2>
</UL></P>
<P> -->
</Body>
</HTML>