It works for me, I mean I get the error about insecure dependency.
#!/usr/bin/perl -T
use strict;
use warnings;
use DBI;
use CGI;
use Data::Dumper;
my $cgi = CGI->new;
print $cgi->header(-type => 'text/plain');
my $dbh = DBI->connect(qw(dbi:mysql:test user pass), {RaiseError=>1, T
+aint=>0, TaintIn=>1, TaintOut=>0});
my $id;
($id = $cgi->param('id')) ? get_user() : normal_page();
sub get_user {
my $sth = $dbh->prepare('select * from user where id = ?');
#($id) = $id =~ /^(\d+)$/;
$sth->execute($id);
my $user = $sth->fetchrow_hashref;
$sth->finish;
die "There's no such user id ($id)\n" unless defined $user;
print Dumper($user);
}
sub normal_page {
print 'Hello there';
}
And I got this from the error log when calling user.cgi?id=1:
Insecure dependency in parameter 1 of DBI::st=HASH(0x8265f88)->execute
+ method call while running with -T switch at /path/to/user.cgi line 2
+0.
If I uncomment the untainting line, I got this on the browser (as found in the table):
$VAR1 = {
'pass' => 'perl',
'location' => undef,
'name' => 'perl',
'id' => '1'
};
Open source softwares? Share and enjoy. Make profit from them if you can. Yet, share and enjoy!
| 