<HTML>
<HEAD>
<meta name="GENERATOR" content="Microsoft Internet Assistant for PowerPoint 97">
<TITLE>DBI security tainting</TITLE>
</HEAD>
<BODY >
<H1>DBI security tainting</H1>
<P><UL>
<LI><H2>By default DBI ignores Perl tainting
</H2>
<UL>
<LI>doesn't taint database data returned out of the DBI
<LI>doesn't check that parameters passed in to the DBI are not tainted
</UL><LI>
</UL><UL>
<LI><H2>The TaintIn and TaintOut attributes enable those behaviours
</H2>
<UL>
<LI>If Perl itself is in taint mode.
<LI>
</UL></UL><UL>
<LI><H2>Each handle has it's own inherited tainting attributes
</H2>
<UL>
<LI>So can be enabled for particular connections and disabled for particular statements, for example:
</UL>$dbh = DBI->connect(
, { Taint => 1 }); # enable TaintIn and TaintOut
<BR>$sth = $dbh->prepare("select * from safe_table");
<BR>$sth->{TaintOut} = 0; # dont taint data from this statement handle
<BR>
</UL><UL>
<LI><H2>Attribute metadata currently varies in degree of tainting
</H2>
<UL>
$sth->{NAME}; generally not tainted
<BR><BR>$dbh->get_info(
); may be tainted if the item of info is fetched from database
</UL></UL><UL>
<H2>.</H2>
</UL></P>
<P></P>
<P>
<TABLE>
<TD HEIGHT=100 WIDTH=100> <A HREF="tsld077.htm">Previous slide</A> </TD>
<TD HEIGHT=100 WIDTH=100> <A HREF="tsld079.htm">Next slide</A> </TD>
<TD HEIGHT=100 WIDTH=150> <A HREF="tsld001.htm">Back to first slide</A> </TD>
<TD HEIGHT=100 WIDTH=150> <A HREF="sld078.htm">View graphic version</A> </TD>
</TABLE>
<BR>
</P>
</Body>
</HTML>