[CDBI] Re: how can I make data returned from CDBI methods be considered untainted?

Michael G Schwern schwern at pobox.com
Fri Mar 2 21:23:38 GMT 2007

Edward J. Sabol wrote:
> Charlie Katz wrote:
>> In my mod_perl application, I trust the data CDBI is giving me
>> from my database (SQLite), so I would like it not to be considered
>> tainted. In my CDBI application base class, after setting up the
>> connection to the database, I say
>> __PACKAGE__->db_Main->{Taint} = 0

This should have worked but its unsafe.  Should CDBI need to reconnect it
will set it back to the default.

You should be able to just to this:

    # TaintOut was added in DBI 1.31 and its safer than setting
    # Taint => 0 as tainted input is still unacceptable.
    Your::CDBI->connection($dsn, $user, $pass, { TaintOut => 1 });

>> But the data are still coming out marked tainted. Should this work,
>> or am I missing something?
> I don't know, but I would probably try a different tack and override the
> _default_attributes method instead, like so:
> 	sub _default_attributes {
> 		my $class = shift;
> 		return (
> 			$class->SUPER::_default_attributes,
> 			Taint => 0,
> 		);
> 	}

Argh!  That's a private method (or at least protected)!

More information about the ClassDBI mailing list