I might be way off here, especially since I haven't done
much with "taint"ed data, but here's my first thought -
you need to untaint your data, and then call execute
with the untainted data. I believe that the tainted
data needs to be run through a regular expression to
"untaint" it.
HTH.
--
Hardy Merrill
Red Hat, Inc.
Belinda M. Giardine [EMAIL PROTECTED] wrote:
> The easiest way to explain this is with an example
>
> #!/usr/bin/perl -wT
> $ENV{'DB2INSTANCE'} = 'XXXXX';
> $ENV{'INSTHOME'} = '/XXXXX/XXXXX/XXXXX';
>
> use DBI;
>
> my $dbh = DBI->connect("dbi:DB2:XXXXX", "", "",
> {RaiseError=>1, PrintError=>0, AutoCommit=>0});
>
> my $tainted_input = shift;
> my $sth = $dbh->prepare("SELECT DISTINCT tabname FROM syscat.tables " .
> "WHERE tabschema = ?");
> $sth->execute($tainted_input);
> my @row;
> while (@row = $sth->fetchrow_array) {
> print "$row[0]\n";
> }
>
> $dbh->commit;
> $dbh->disconnect;
>
> This works fine if the T is removed from the shebang line, but fails with
>
> Can't bind unknown parameter marker '1' at db2_taint line 13.
> Issuing rollback() for database handle being DESTROY'd without explicit
> disconnect().
>
> when it is as above. Similar code worked fine with DBI and Oracle. Did I
> do something wrong or is this a bug?
>
> Thanks,
> Belinda
