Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re: Securing DB transactions with user form input

by Anonymous Monk
on Feb 04, 2008 at 17:14 UTC ( [id://666004]=note: print w/replies, xml ) Need Help??


in reply to Securing DB transactions with user form input

"If so, I'm thinking this should just be standard practice for any and all DB transactions that pass user input to an sql statement."

Perhaps. But consider other languages such as PHP that don't have placeholders. I find that the standard practice is to use id's wherever you can -- such as a drop down boxes of items. Don't pass the value of the drop down -- pass in the id number for that value and translate it back before you issue your query. 

my $id = $q->param( 'start_date_id' );

my $date = $dates[$id]; # etc. maybe add real validation

my $sth = $dbh->prepare( 'SELECT this FROM that WHERE date = ?' );
$sth->execute( $date );

[download]

Replies are listed 'Best First'.
Re^2: Securing DB transactions with user form input
by eric256 (Parson) on Feb 04, 2008 at 18:04 UTC
[reply]
      I was *this* close to doing just that and rolling my own ... but, as much as I would love to use that code here at work, I just don't think my co-workers would understand. :(

      Thanks for the tip!

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://666004]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (4)
As of 2024-04-25 16:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found