On Tue, 2002-01-01 at 00:55, Patrik Birgersson wrote: > > I may be out of line here, and I've read the replies about > filtering input. > However, using Perl CGI + DBD/DBI, Apache and MySQL I writes my > DB queries like this: > > $sth = $dbh->prepare ("SELECT * FROM table WHERE param = ?"); > $sth->execute ($param) Yes, you *can* do it that way. However, you will find very often something like this: my $q = new CGI; my $x = $q->param("another_param"); my $sth = $dbh->prepare("SELECT col FROM table WHERE ref = '$x'"); $sth->execute; Even the quoting of $x will not help in you case something starts to write URL's the manual way. > > This (as I understand) prevents SQL injection into the query > since I don't have the variables directly in the query, but > supply them upon query execution. Yes, what happens is that all parameter supplied to $handler->execute() will be treated with $dbh->quote() prior to using them.
This archive was generated by hypermail 2b30 : Tue Jan 01 2002 - 09:40:38 PST