Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite


Perl: the Markov chain saw
	PerlMonks

Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

by andreas1234567 (Vicar)

on Jan 09, 2008 at 19:33 UTC ( [id://661471]=note: print w/replies, xml )

Need Help??

in reply to Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

Ran your code on IBM UDB version 9.5.0 on Linux 2.6.9 i386.

$ perl -w 661423.pl 
Connected OK to DBD::DB2::VIPER.
Clear out existing data from the test table ..
Add (44,Some benign text) to the test table ..
Add (55,Just regular data) to the test table ..
Add (66,Evil data');DELETE FROM jobs;) to the test table ..
Dump out the result.
'44', 'Some benign text'
'55', 'Just regular data'
'66', 'Evil data');DELETE FROM jobs;'
3 rows
[download]

However, I would in most cases favor stored procedures as main way of interacting with a database. Benefits includes both security (which includes preventing SQL injection attacks - simply because you don't get to create dynamic SQL) and performance.

--
Andreas

Comment on Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite Download Code

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://661471]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others drinking their drinks and smoking their pipes about the Monastery: (4)

As of 2024-04-19 04:49 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found