...
One way to find potential injection points quickly is to use Perl's taint mode.
| Code Block | ||||
|---|---|---|---|---|
| ||||
# ... beginning of code
my $dbh = DBI->connect("dbi:SQLite:dbname=$dbfile","","")
or die "Couldn't connect to database: " . DBI->errstr;
$dbh->{TaintIn} = 1;
# ... rest of ocde
|
Perl will refuse to permit tainted data from entering the database via the prepare() method call. It will immediately exit with an error message:
...
Note that not only must the program be run in taint mode, but the TaintIn attribute must be set on the connection handle, enabling taint checks to be run on the database.
...