in reply to Re: Re: Using-T and Untainting SQL
in thread Using-T and Untainting SQL
Take this as an example:
(Note: There are other ways of specifying values for placeholders and binding values, as it is referred to in the DBI documentation.)my $username = $query->('username'); # Do some input validation if necessary # DBI code my $sql = "SELECT * FROM users WHERE username = ?"; ... $sth->execute($username);
If a mailicious user were to pass in PotPieMan; DROP TABLE users for the username, the DBI module would parse this as the following: SELECT * FROM users WHERE username = 'PotPieMan; DROP TABLE users';
and (most likely) return 0 rows. The point is that you, the programmer, have to worry A LOT LESS about getting every posssible case of SQL exploitation covered.
--PotPieMan
In Section
Seekers of Perl Wisdom