Pathologically Eclectic Rubbish Lister | |
PerlMonks |
Re^2: Avoiding SQL insecuritiesby DrHyde (Prior) |
on Jul 15, 2004 at 08:40 UTC ( [id://374574]=note: print w/replies, xml ) | Need Help?? |
Perhaps more important - because it's a bit more subtle - is that you should NEVER directly interpolate user input into SQL. Don't do things like:
$dbh->do("UPDATE mytable SET foo='$wossname' WHERE bar='$otherwossname'"); Where $wossname comes straight from a HTML form, because at some point, a nasty fellow like me will provide a value like: you are screwed';DELETE FROM mytable; which is the classic SQL injection attack. *That's* why placeholders are so good, but even with placeholders, you need to validate user input so that you don't try to update a user's date of birth with "grapefruit".
In Section
Seekers of Perl Wisdom
|
|