On Sat, 29 Dec 2001 20:59:51 -0300 "Gabriel A. Maggiotti" <gmaggiotat_private> shouted: > A common query: >(1) SELECT * from table WHERE id=$id >where $id is a variable that the web progammer use to perform the query. >This implies that the variable is potentially revalueable (if is not checked >before using it). I may be out of line here, and I've read the replies about filtering input. However, using Perl CGI + DBD/DBI, Apache and MySQL I writes my DB queries like this: $sth = $dbh->prepare ("SELECT * FROM table WHERE param = ?"); $sth->execute ($param) This (as I understand) prevents SQL injection into the query since I don't have the variables directly in the query, but supply them upon query execution. If I'm all wrong here, please let the flames begin.... Patrik Birgersson "No man is good enough to govern another man without that other's consent." - Abraham Lincoln (1809 - 1865)
This archive was generated by hypermail 2b30 : Mon Dec 31 2001 - 16:09:10 PST