Re^3: Preventing malicious T-SQL injection attacksby davorg (Chancellor)
|on Mar 05, 2007 at 14:58 UTC||Need Help??|
Why is the hash labels ordered 2,0,1 ?
I thought the comments above the hash explained that. "%procs contains the names of the valid stored procs together with the number of parameters each requires". The key of each hash entry is the name of a valid stored proc. The value associated with the key is the number of parameters that each stored proc requires. The actual numbers that I used (2, 0, 1) were just sample numbers that I made up at random.
why do we have sth->execute(@CHOICE);
That is how you put values into the placeholders in an SQL statement. So if you have an SQL statement that is something like select foo from bar where baz = ? then you pass the value for baz as a parameter to the execute function. If you have more than one placeholder (as we do in this case) then we can pass a list (or, in this example, an array that is converted to a list) instead.
Of course, you could have got all this from the DBI documentation.
Why does the EXEC die if there is not the expected number of elements in the array
If you have placeholders in your SQL statement, then execute must be passed enough parameters to match all of the placeholders. If there are too many or too few parameters then execute will throw a fatal error.
"The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg