perlquestion
punch_card_don
In researching the title question for DBI applications, I came across this page: <a href="http://unixwiz.net/techtips/sql-injection.html" target="newpage">SQL Injection Attacks by Example</a>.
<p>
Scroll down to <i>Mitigation : Use bound parameters (the PREPARE statement) </i>, where the example in Perl uses placeholders in a prepare statment, like this:
<code>
$sth = $dbh->prepare("SELECT email FROM members WHERE user_id = ?;");
$sth->execute($user_id_from_form);
</code>
and says:<p>
<i>...at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.
<p><b>...enormous security benefits. This is probably the single most important step one can take to secure a web application. </b></i>
<p>If so, I'm thinking this should just be standard practice for any and all DB transactions that pass user input to an sql statement.
<p>So the question to this post is whether the Monastery agrees with the assertions of ths website.
<!-- Node text goes above. Div tags should contain sig only -->
<div class="pmsig"><div class="pmsig-396320">
<br><br><br><i><font face="verdana" size=1>Forget that fear of gravity,<br>
Get a little savagery in your life.</i>
</div></div>