I (maybe mistakenly) thought when the placeholder was quoted that it was
also untainted. It appeared to work that way with Oracle, but we recently
started switching to DB2 and scripts that were working broke when a
variable is tainted.
I forgot to mention the versions in case that helps.
DBI 1.37
DBD::DB2 0.76
Belinda
On Tue, 26 Aug 2003, Hardy Merrill wrote:
> I might be way off here, especially since I haven't done
> much with "taint"ed data, but here's my first thought -
> you need to untaint your data, and then call execute
> with the untainted data. I believe that the tainted
> data needs to be run through a regular expression to
> "untaint" it.
>
> HTH.
>
> --
> Hardy Merrill
> Red Hat, Inc.
>
> Belinda M. Giardine [EMAIL PROTECTED] wrote:
> > The easiest way to explain this is with an example
> >
> > #!/usr/bin/perl -wT
> > $ENV{'DB2INSTANCE'} = 'XXXXX';
> > $ENV{'INSTHOME'} = '/XXXXX/XXXXX/XXXXX';
> >
> > use DBI;
> >
> > my $dbh = DBI->connect("dbi:DB2:XXXXX", "", "",
> > {RaiseError=>1, PrintError=>0, AutoCommit=>0});
> >
> > my $tainted_input = shift;
> > my $sth = $dbh->prepare("SELECT DISTINCT tabname FROM syscat.tables " .
> > "WHERE tabschema = ?");
> > $sth->execute($tainted_input);
> > my @row;
> > while (@row = $sth->fetchrow_array) {
> > print "$row[0]\n";
> > }
> >
> > $dbh->commit;
> > $dbh->disconnect;
> >
> > This works fine if the T is removed from the shebang line, but fails with
> >
> > Can't bind unknown parameter marker '1' at db2_taint line 13.
> > Issuing rollback() for database handle being DESTROY'd without explicit
> > disconnect().
> >
> > when it is as above. Similar code worked fine with DBI and Oracle. Did I
> > do something wrong or is this a bug?
> >
> > Thanks,
> > Belinda
>
