|Perl: the Markov chain saw|
Re: So, now what are taints?by graff (Chancellor)
|on Mar 29, 2004 at 02:32 UTC||Need Help??|
It might clarify the idea if you rephrase the question as "what is tainted data?" Data should be considered "tainted" when it comes from a source outside the direct control and complete trust of your system and perl script, such as parameters being submitted on a web form from a remote client, or data coming through a port or socket from a remote host, or data in a file that has global write access.
"Taint" mode in perl is a method of making sure that "tainted data" is officially "quarantined", and is not allowed to be involved in any operation where it could cause damage (whether malicious or simply accidental), such as being used as part of a command line for a sub-shell, or part of an SQL statement passed to a database server, or executed as part of an "eval" block.