Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^6: DBH Insert of Binary Data

by Joost (Canon)
on Mar 19, 2005 at 01:36 UTC ( #440842=note: print w/ replies, xml ) Need Help??


in reply to Re^5: DBH Insert of Binary Data
in thread DBH Insert of Binary Data

#!perl -w use strict; use DBI; my $dbh = DBI->connect('DBI:mysql:database=test','xxx','yyy',) || die; print $dbh->quote(q{Boston;DELETE FROM myTable}); __END__ 'Boston;DELETE FROM myTable'

I don't see your point. If any DBD driver let's this through, (and DBD::mysql doesn't), it's a major bug. Yes, it might be inefficient, but it should never lead to a security risk if used correctly.


Comment on Re^6: DBH Insert of Binary Data
Download Code
Re^7: DBH Insert of Binary Data
by jZed (Prior) on Mar 19, 2005 at 01:39 UTC
    > If any DBD driver let's this through, (and DBD::mysql 
    > doesn't), it's a major bug. 
    
    Agreed.
      So now I'm getting curious: are there DBD drivers where you could get an SQL injection attack while still using the quote method correctly?

      Just to make myself as clear as I can: I agree that using placeholders is usually the best and most efficient technique, but I am under the impression that using quote() would (or at least, should) catch all attempts of "breaking out of" an SQL value.

      updated: s/attact/attack/

        > are there DBD drivers where you could get an SQL injection
        > attact while still using the quote method correctly?
        
        Not that I know of.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://440842]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (4)
As of 2014-07-26 12:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (176 votes), past polls