Re^2: Avoiding SQL insecurities


Pathologically Eclectic Rubbish Lister
	PerlMonks

Re^2: Avoiding SQL insecurities

by DrHyde (Prior)

on Jul 15, 2004 at 08:40 UTC ( [id://374574]=note: print w/replies, xml )

Need Help??

in reply to Re: Avoiding SQL insecurities
in thread Avoiding SQL insecurities

Perhaps more important - because it's a bit more subtle - is that you should NEVER directly interpolate user input into SQL. Don't do things like:

$dbh->do("UPDATE mytable SET foo='$wossname' WHERE bar='$otherwossname'");

Where $wossname comes straight from a HTML form, because at some point, a nasty fellow like me will provide a value like:

you are screwed';DELETE FROM mytable;

which is the classic SQL injection attack. *That's* why placeholders are so good, but even with placeholders, you need to validate user input so that you don't try to update a user's date of birth with "grapefruit".

Comment on Re^2: Avoiding SQL insecurities Select or Download Code

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://374574]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others drinking their drinks and smoking their pipes about the Monastery: (5)

As of 2024-04-19 02:07 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found