Welcome to the Monastery | |
PerlMonks |
And you trust your users why?by dragonchild (Archbishop) |
on Mar 23, 2004 at 14:09 UTC ( [id://339004]=note: print w/replies, xml ) | Need Help?? |
Database queries?? I don't think so. If you're letting your user tell you what query you're going to run, you're asking for bankruptcy. I would never allow my users to construct queries through a Perl app. If they need to be constructing queries, give them SQL*Plus access. It has had 9 major revisions to get security and other issues correct. Plus, they'll be executing based on the roles they were granted, not the roles the application was granted.
Personally, I tell my users "Please choose from the following options" which I have supplied to them. I then combine those options according to a very flexible (but rigid) set of rules to construct the query on the fly. As for message filtering ... you don't need to use eval, there, either. You use either dispatch or switch statements. Unless, of course, you like playing on the edge. I do something exactly like this in PDF::Template, in my <if> node. You get to indicate the LHS, RHS, and the operator. If I don't recognize the operator, then it's a numeric equality check. If you don't like that, tough. And, it's the same with the mathematical operators. You get the four basic ones. Anything else and I complain. Loudly. You can never NEVER trust your users, even if it's just to keep them from typing 'rm -rf /' accidentally. ------
Then there are Damian modules.... *sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon. - flyingmoose
In Section
Seekers of Perl Wisdom
|
|