in reply to Re: Re: Using-T and Untainting SQL
in thread Using-T and Untainting SQL
Take this as an example:
(Note: There are other ways of specifying values for placeholders and binding values, as it is referred to in the DBI documentation.)my $username = $query->('username'); # Do some input validation if necessary # DBI code my $sql = "SELECT * FROM users WHERE username = ?"; ... $sth->execute($username);
If a mailicious user were to pass in PotPieMan; DROP TABLE users for the username, the DBI module would parse this as the following: SELECT * FROM users WHERE username = 'PotPieMan; DROP TABLE users';
and (most likely) return 0 rows. The point is that you, the programmer, have to worry A LOT LESS about getting every posssible case of SQL exploitation covered.
--PotPieMan
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Re3: Using-T and Untainting SQL
by sdyates (Scribe) on Apr 30, 2002 at 20:02 UTC | |
by PotPieMan (Hermit) on Apr 30, 2002 at 23:48 UTC |
In Section
Seekers of Perl Wisdom