On Tue, 2002-01-01 at 00:55, Patrik Birgersson wrote:
>
> I may be out of line here, and I've read the replies about
> filtering input.
> However, using Perl CGI + DBD/DBI, Apache and MySQL I writes my
> DB queries like this:
>
> $sth = $dbh->prepare ("SELECT * FROM table WHERE param = ?");
> $sth->execute ($param)
Yes, you *can* do it that way. However, you will find very often
something like this:
my $q = new CGI;
my $x = $q->param("another_param");
my $sth = $dbh->prepare("SELECT col FROM table WHERE ref = '$x'");
$sth->execute;
Even the quoting of $x will not help in you case something starts
to write URL's the manual way.
>
> This (as I understand) prevents SQL injection into the query
> since I don't have the variables directly in the query, but
> supply them upon query execution.
Yes, what happens is that all parameter supplied to $handler->execute()
will be treated with $dbh->quote() prior to using them.
This archive was generated by hypermail 2b30 : Tue Jan 01 2002 - 09:40:38 PST