Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re^5: Best practices for closing database connections?

by soonix (Canon)
on Mar 17, 2022 at 13:31 UTC ( [id://11142176]=note: print w/replies, xml ) Need Help??


in reply to Re^4: Best practices for closing database connections?
in thread Best practices for closing database connections?

even ignoring hackers and deliberate wrong input:

as soon as you have legitimate input such as
  • person names like O'Brien
  • company names like Toys “R” Us (or even the older version Toys Я Us
placeholders are way better than coping with the necessary quoting.
  • Comment on Re^5: Best practices for closing database connections?

Replies are listed 'Best First'.
Re^6: Best practices for closing database connections?
by Polyglot (Chaplain) on Mar 17, 2022 at 13:52 UTC

    Quotes are escaped. I always thought such was standard procedure.

    Blessings,

    ~Polyglot~

[reply]

      And that just right there is a defect you've put in your armor needlessly. Rather than placeholder values which never enter the SQL engine's parsing purview you're going to hang your security on quotes "always" being escaped and, more importantly, being escaped correctly (to say nothing of not maliciously being escaped incorrectly). The "standard procedure" should be to pass values outside the context of an SQL statement with placeholders so there's no possibility of the values' contents affecting the parse of the statement itself.

      The cake is a lie.
      The cake is a lie.
      The cake is a lie.

[reply]
      You thought incorrectly.

      Using placeholders is the standard practice.

      Escaping quotes (and, hopefully, other meta-characters) was standard practice for languages, database engines, and database interface layers which weren't capable of supporting placeholders... but such languages, engines, and layers are now relics of a bygone time and have mostly fallen out of use.

      More to the point, neither Perl, nor MySQL/MariaDB, nor DBI have that defect. You are using a set of technologies which are sufficiently modern to provide end-to-end support for placeholders, thus, using them is the standard practice (and universally-acknowledged Best Practice) for those technologies.

      So, why are placeholders the preferred practice?

      Because, when using placeholders, the structure of the query (with placeholders to later insert data values) is presented to the database engine separately from the data values themselves. This makes it absolutely impossible (barring serious bugs in the database engine) for data to be misinterpreted as an SQL instruction. In cases where similar queries are re-used multiple times, it can also provide some performance benefits by allowing you to only do the structural parsing once and then running it with different data values, but this is a secondary benefit, not the primary purpose for using placeholders. Thus, "I'm only going to run this query once" is not a sensible reason to forego their use.

      When done properly, escaping can provide a good level of protection from SQL-based attacks or SQL parsing errors resulting from strange data values. But doing escaping properly is hard and it can be time-consuming as well.

      Using placeholders, in contrast, provides absolute protection and is dead easy. The only way to use them incorrectly is to not use them.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://11142176]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others rifling through the Monastery: (3)
As of 2024-04-25 17:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found