in reply to perl (mysql) question...
Dear Monk,
You probably know this, (at least I hope you know this), and your example was only for illustration purposes. A statement like $sql = qq{ SELECT * FROM $table{'members'} WHERE nick="$username"}; leaves you open to a SQL injection attack. What will happen if the username entered by your user is something like the following?
'john' and userPass='' or 1=1 '
I hope I'm not stating the obvious.
Moral: Use placeholders
You probably know this, (at least I hope you know this), and your example was only for illustration purposes. A statement like $sql = qq{ SELECT * FROM $table{'members'} WHERE nick="$username"}; leaves you open to a SQL injection attack. What will happen if the username entered by your user is something like the following?
'john' and userPass='' or 1=1 '
I hope I'm not stating the obvious.
Moral: Use placeholders
|
---|
In Section
Seekers of Perl Wisdom