I'm developing a database interface that will be used by other developers in my office. As part of our 'best practices' policies, we strongly discourage using unvalidated data in database searches.
To help enforce this policy, I've got the database query parser spitting out a warning if the query is tainted, or if taint mode is disabled.
After searching the net for a while, I haven't found any better way of checking to see if an expression is tainted other than the code in the 'perlsec' man page:
sub is_tainted {
return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
}
And for checking whether taint mode is enabled at all, I've been using this ugly code that passes what should theoretically be always tainted:
$taintModeEnabled = &is_tainted( +(getpwuid(0))[1] );
But now I've run into problems. getpwuid() works great on UNIX systems, but in ActiveState Perl on Windows, it breaks.
So my questions are:
- Is there a better way to check for taintedness of a variable, say with a CPAN module (or some internal Perl thing I can check if I create my own XS module)?
- Is there a better way to check if Taint mode is enabled at all? In my dusty Perl reference, I see there's $^W which tells you if Warnings are enabled, but nothing for Taint.
- Is there some source of data that should *always* be tainted, on both Windows & UNIX systems? %ENV isn't necessarily going to be tainted since you can clean it by setting it. <STDIN> is hard to check if there isn't any, etc..
Insert some joke with vaguely sexual innuendo about checking taints here
Thanks!