Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Re^3: Making a regex case insensitive

by imp (Priest)
on Mar 06, 2007 at 18:34 UTC ( #603481=note: print w/replies, xml ) Need Help??

in reply to Re^2: Making a regex case insensitive
in thread Making a regex case insensitive

Instead of checking for bad tokens you should just use bound parameters whenever possible, and DBI's quote method when it isn't possible. You'll save yourself a lot of pain that way.

Perfect paranoia is perfect awareness when it comes to preventing SQL injection attacks. Make sure you are binding or quoting everything that will touch the database. It's a semi common mistake to include $ENV{HTTP_REFERER} or $ENV{HTTP_USER_AGENT} in the sql unquoted.

Replies are listed 'Best First'.
Re^4: Making a regex case insensitive
by Win (Novice) on Mar 06, 2007 at 18:40 UTC
    Are you suggesting that I should check each entry with a tight regex?

    It's a semi common mistake to include $ENV{HTTP_REFERER} or $ENV{HTTP_USER_AGENT} in the sql unquoted.

    I havenít a clue what you mean by that.
      You shouldn't ever directly include data that is provided by a user in your SQL. It should always be bound, or quoted where binding isn't available.
      # Interpolated ... bad my $sql = "insert into hits (browser) values ('$ENV{HTTP_USER_AGENT}') +" $dbh->do($sql); # Bound ... best my $sql = "insert into hits (browser) values (?)"; $dbh->do($sql, {}, $ENV{HTTP_USER_AGENT}); # Quoted ... tolerable my $sql = sprintf "insert into hits (browser) values (%s)", $dbh->quot +e($ENV{HTTP_USER_AGENT}); $dbh->do($sql);
      It is trivial for users to modify their user agent string, never trust users.
        How do I best apply that in the context of:
        $Command = join(' ', 'EXEC', $SPROC, join(', ', @CHOICE[1 .. $elements_in_array])) . '';
        I have been given:
        my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC}; my $sth = $dbh->prepare($sql); $sth->execute(@CHOICE);
        But I don't understand how to apply it. Did the person that gave me this mean:

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603481]
and cookies bake in the oven...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (14)
As of 2017-06-26 17:25 GMT
Find Nodes?
    Voting Booth?
    How many monitors do you use while coding?

    Results (583 votes). Check out past polls.