Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re^3: Making a regex case insensitive

by imp (Priest)
on Mar 06, 2007 at 18:34 UTC ( #603481=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Making a regex case insensitive
in thread Making a regex case insensitive

Instead of checking for bad tokens you should just use bound parameters whenever possible, and DBI's quote method when it isn't possible. You'll save yourself a lot of pain that way.

Perfect paranoia is perfect awareness when it comes to preventing SQL injection attacks. Make sure you are binding or quoting everything that will touch the database. It's a semi common mistake to include $ENV{HTTP_REFERER} or $ENV{HTTP_USER_AGENT} in the sql unquoted.


Comment on Re^3: Making a regex case insensitive
Select or Download Code
Re^4: Making a regex case insensitive
by Win (Novice) on Mar 06, 2007 at 18:40 UTC
    Are you suggesting that I should check each entry with a tight regex?

    It's a semi common mistake to include $ENV{HTTP_REFERER} or $ENV{HTTP_USER_AGENT} in the sql unquoted.

    I havenít a clue what you mean by that.
      You shouldn't ever directly include data that is provided by a user in your SQL. It should always be bound, or quoted where binding isn't available.
      # Interpolated ... bad my $sql = "insert into hits (browser) values ('$ENV{HTTP_USER_AGENT}') +" $dbh->do($sql); # Bound ... best my $sql = "insert into hits (browser) values (?)"; $dbh->do($sql, {}, $ENV{HTTP_USER_AGENT}); # Quoted ... tolerable my $sql = sprintf "insert into hits (browser) values (%s)", $dbh->quot +e($ENV{HTTP_USER_AGENT}); $dbh->do($sql);
      It is trivial for users to modify their user agent string, never trust users.
        How do I best apply that in the context of:
        $Command = join(' ', 'EXEC', $SPROC, join(', ', @CHOICE[1 .. $elements_in_array])) . '';
        I have been given:
        my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC}; my $sth = $dbh->prepare($sql); $sth->execute(@CHOICE);
        But I don't understand how to apply it. Did the person that gave me this mean:
        $sth->execute($Command);
        ?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603481]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (8)
As of 2014-12-18 02:29 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (41 votes), past polls