awohld has asked for the wisdom of the Perl Monks concerning the following question:
Here is a script I made to do database inserts. Should I limit the amount of data that can be posted to prevent buffer overflows? I guess that there shouldn't be anymore than 30,000 characters in the text area so I was figuring using $CGI::POST_MAX = 30000. I did this assuming that 30,000 ASCII characters assuming that 1 ASCII character is 1 byte.
Also I think my query is immune from SQL injection attacks. Is it?
#!/usr/bin/perl -wT use DBI; use strict; use CGI; $CGI::POST_MAX = 30000; use POSIX 'strftime'; my $q = CGI->new(); my $id = $q->param ('id'); my $other_comments = $q->param ('other_comments'); my $date = strftime( "%m/%d/%Y",localtime(time) ); ##Start database connections########################## my $database = "database"; my $db_server = "localhost"; my $user = "user"; my $password = "password"; ##Connect to database, insert statement, & disconnect## my $dbh = DBI->connect("DBI:mysql:$database:$db_server", $user, $passw +ord); my $statement = "INSERT INTO database (id1, comnt, date1) VALUES (?,?, +?)"; my $sth; $sth = $dbh->prepare($statement) or die "Couldn't prepare the query: $ +sth->errstr"; my $rv = $sth->execute($id,$other_comments,$date) or die "Couldn't exe +cute query: $dbh->errstr"; my $rc = $sth->finish; $rc = $dbh->disconnect; ####################################################### print "Content-type: text/html\n\n"; print $date;
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Hacker Proofing My Script
by hardburn (Abbot) on Oct 04, 2004 at 20:29 UTC | |
Re: Hacker Proofing My Script
by dragonchild (Archbishop) on Oct 04, 2004 at 19:29 UTC | |
Re: Hacker Proofing My Script
by sgifford (Prior) on Oct 04, 2004 at 22:20 UTC | |
Re: Hacker Proofing My Script
by lhoward (Vicar) on Oct 04, 2004 at 20:26 UTC | |
Re: Hacker Proofing My Script
by Anonymous Monk on Oct 05, 2004 at 16:09 UTC | |
Re: Hacker Proofing My Script
by CountZero (Bishop) on Oct 04, 2004 at 19:30 UTC | |
by jZed (Prior) on Oct 04, 2004 at 19:48 UTC | |
by CountZero (Bishop) on Oct 04, 2004 at 20:15 UTC | |
by dave_the_m (Monsignor) on Oct 04, 2004 at 21:19 UTC | |
by awohld (Hermit) on Oct 04, 2004 at 21:02 UTC | |
by jZed (Prior) on Oct 04, 2004 at 21:13 UTC | |
by CountZero (Bishop) on Oct 04, 2004 at 22:24 UTC |
Back to
Seekers of Perl Wisdom