Re: Prevent SQL Injection

in reply to Prevent SQL Injection

In general you should store whatever data you receive in its original form, and not encoded for a particular output. For example, what if you need to send that text in a plain text email instead of an HTML email? What if you want to dump a bunch of rows of text into CSV?

Then when you need to use that text in a particular context, you can encode it appropriately. When you're sending it to the database, you should use placeholders, or if you must, use the quote method in DBI. When you're outputting it as HTML, then HTML-encode it. When you're passing it to a system call, apply shell escapes to it (is there a standard method for that?). If you're using it in a regex, use quotemeta or the \Q escape. And so on.

Update: andreas1234567's reply below is of course also correct.

Comment on Re: Prevent SQL Injection Select or Download Code

Replies are listed 'Best First'.
Re^2: Prevent SQL Injection by andreas1234567 (Vicar) on Apr 08, 2008 at 07:57 UTC
In general you should store whatever data you receive in its original form, and not encoded for a particular output. Yes, provided that the data is properly validated, e.g. as described in Data Validation (owasp.org). -- Andreas	[reply]
Re^2: Prevent SQL Injection by davidj01 (Novice) on Apr 10, 2008 at 16:14 UTC
Hi, I've been updating my programs to use only place holders. I'm now looking at the next step. "When you're outputting it as HTML, then HTML-encode it." My question is naive but could you provide a couple of examples in order to clearly define what is meant by HTML-encode and in these examples show how one is handling any insecurities or difficult to display characters (I presuppose the single and dbl quote) Thank-you David J.	[reply]

In Section Seekers of Perl Wisdom