After a friend pointed out an SQL injection bug in some of my Perl code, I was confused as to why taint mode had not caught it (I use -T for everything and recommend you do too). After checking the docs again, DBI only checks if statements are tainted if you set the TaintIn property of the handle. I’m not sure how I missed this before. Personally, I think this is a brain-dead behaviour. If a programmer is security conscious enough to enable taint mode, he probably wants to know about SQL injection bugs.
Update:
After enabling TaintIn for some of my code, DBI became even more retarded. With TaintIn DBI also checks if your sql parameters are tainted. So some code like $sth = $dbh->prepare(“insert into mytable values (?)”); $sth->execute($user_supplied_data); fails. In my opinion this defeats the entire purpose of DBI parameters. I may patch DBI locally and see if I can get it applied upstream.
