in reply to Yet another reason to use DBI placeholders
Hey, funny that. There's a SQL injection (https://rt.cpan.org/Ticket/Display.html?id=41565 in the latest DBD::Pg that works even in the face of placeholders.
> > $s=$d->prepare(q[select ? where 1=?], { pg_server_prepare => 0 }); > > $s->bind_param(2,undef,SQL_INTEGER); > > $s->execute(1,"2; drop table x;");
⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊
In Section
Meditations