Example
The following very dangerous Perl code opens a large SQL injection vulnerability by not checking the value of the $name variable:
If taint checking is turned on, the code would exit with a warning, because a tainted variable is being used in a SQL query. Without taint checking, a user could enter foo'; DROP TABLE users --, thereby running a command that deletes the entire database table. Much safer would be to encode the tainted value of $name to a SQL string literal and use the result in the SQL query, guaranteeing that no dangerous command embedded in $name will be evaluated. Another way to achieve that is to use a prepared statement to sanitize all variable input for a query.
One thing to note is that Perl DBI requires one to set the TaintIn attribute of a database handle as well as enabling taint mode to check one's SQL strings.
Read more about this topic: Taint Checking
Famous quotes containing the word example:
“Our intellect is not the most subtle, the most powerful, the most appropriate, instrument for revealing the truth. It is life that, little by little, example by example, permits us to see that what is most important to our heart, or to our mind, is learned not by reasoning but through other agencies. Then it is that the intellect, observing their superiority, abdicates its control to them upon reasoned grounds and agrees to become their collaborator and lackey.”
—Marcel Proust (1871–1922)