The approach Perl takes can be traced back to its origin as a scripting language for systems programming. In that context it makes sense as a simple safety system to help prevent basic injection attacks on often hastily and poorly constructed scripts. Further reason for the "tainted" flag lies in the incredibly poor type system in Perl (so much so Perl doesn't even distinguish between strings, integers, or floats). Very little in Haskell is vulnerable to any kind of injection attack, there is for instance no real equivalent of the eval function that's the source of the majority of Perls problems. In general, those few areas that are vulnerable to injection (things like templating systems, SQL queries, etc.) it's generally better to perform whatever escaping is necessary at that point, as the proper way to sanitize a string will largely depend on the context in which it's being used (I.E. what's a proper sanitization for a SQL query, would be inappropriate for an HTML form and vice versa). Most sane libraries in Haskell will default to escaping appropriate values in their inputs, and give the programmer explicit access to bypass that sanitization if he has specific reason to want to do so, and it is then his responsibility to ensure that the inputs are properly sanitized. If you really wanted to do something equivalent, it would be a simple matter of creating a TaintedString type that just wraps an existing String, and then a series of functions to "untaint" instances of TaintedString. Ultimately though, I feel it would be an awful lot of work for very little gain. Anything in your application that's vulnerable to injection attacks should escape its inputs, no matter what the source is. -R. Kyle Murphy -- Curiosity was framed, Ignorance killed the cat. On Fri, Dec 21, 2012 at 4:31 PM, Mike Meyer wrote:

On Fri, Dec 21, 2012 at 3:15 PM, Erik de Castro Lopo wrote:

...

Mike Meyer wrote:

...

Is there already a Haskell package that does this? Possibly part of a web framework? I've been using Esqueleto (an SQL EDSL) and it sanitizes/quotes all values while constructing SQL queries.

From that description, this is actually different from what I'm talking about. It's typical for SQL packages even in dynamic languages.

What I have in mind is that the query (with placeholders for the values) would have to be a string constant (provided by the programmer) or flagged as "checked and not tainted" by the programmer, otherwise trying to run the query would fail to type check.

If you have a system where you want to let the user select the column names in the query, then SQL placeholders/sanitation may not work - you need to build the query string "by hand". Being able to use the type checking system to insure that no string gets used that hasn't been sanitized would be nice.

_______________________________________________ Beginners mailing list Beginners@haskell.org http://www.haskell.org/mailman/listinfo/beginners