Re^6: DBH Insert of Binary Data

in reply to Re^5: DBH Insert of Binary Data
in thread DBH Insert of Binary Data

#!perl -w
use strict;
use DBI;

my $dbh = DBI->connect('DBI:mysql:database=test','xxx','yyy',) || die;
print $dbh->quote(q{Boston;DELETE FROM myTable});
__END__
'Boston;DELETE FROM myTable'
[download]

I don't see your point. If any DBD driver let's this through, (and DBD::mysql doesn't), it's a major bug. Yes, it might be inefficient, but it should never lead to a security risk if used correctly.

"What should it profit a man, if he should win a flame war, yet lose his cool?"

Comment on Re^6: DBH Insert of Binary Data Download Code
Re^7: DBH Insert of Binary Data by jZed (Prior) on Mar 19, 2005 at 01:39 UTC
> If any DBD driver let's this through, (and DBD::mysql > doesn't), it's a major bug. Agreed.	[reply]
Re^8: DBH Insert of Binary Data by Joost (Canon) on Mar 19, 2005 at 01:44 UTC
So now I'm getting curious: are there DBD drivers where you could get an SQL injection attack while still using the quote method correctly? Just to make myself as clear as I can: I agree that using placeholders is usually the best and most efficient technique, but I am under the impression that using quote() would (or at least, should) catch all attempts of "breaking out of" an SQL value. updated: s/attact/attack/ "What should it profit a man, if he should win a flame war, yet lose his cool?"	[reply]
Re^9: DBH Insert of Binary Data by jZed (Prior) on Mar 19, 2005 at 01:46 UTC
> are there DBD drivers where you could get an SQL injection > attact while still using the quote method correctly? Not that I know of.	[reply]


Pathologically Eclectic Rubbish Lister
	PerlMonks

Re^6: DBH Insert of Binary Data

The best material for plates (tableware) is: