in reply to Re^4: Making a regex case insensitive
in thread Making a regex case insensitive
You shouldn't ever directly include data that is provided by a user in your SQL. It should always be bound, or quoted where binding isn't available.
It is trivial for users to modify their user agent string, never trust users.# Interpolated ... bad my $sql = "insert into hits (browser) values ('$ENV{HTTP_USER_AGENT}') +" $dbh->do($sql); # Bound ... best my $sql = "insert into hits (browser) values (?)"; $dbh->do($sql, {}, $ENV{HTTP_USER_AGENT}); # Quoted ... tolerable my $sql = sprintf "insert into hits (browser) values (%s)", $dbh->quot +e($ENV{HTTP_USER_AGENT}); $dbh->do($sql);
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
| A reply falls below the community's threshold of quality. You may see it by logging in. |
In Section
Seekers of Perl Wisdom