Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Re^4: Making a regex case insensitive

by Win (Novice)
on Mar 06, 2007 at 18:40 UTC ( #603485=note: print w/ replies, xml ) Need Help??


in reply to Re^3: Making a regex case insensitive
in thread Making a regex case insensitive

Are you suggesting that I should check each entry with a tight regex?

It's a semi common mistake to include $ENV{HTTP_REFERER} or $ENV{HTTP_USER_AGENT} in the sql unquoted.

I havenít a clue what you mean by that.


Comment on Re^4: Making a regex case insensitive
Re^5: Making a regex case insensitive
by imp (Priest) on Mar 06, 2007 at 18:49 UTC
    You shouldn't ever directly include data that is provided by a user in your SQL. It should always be bound, or quoted where binding isn't available.
    # Interpolated ... bad my $sql = "insert into hits (browser) values ('$ENV{HTTP_USER_AGENT}') +" $dbh->do($sql); # Bound ... best my $sql = "insert into hits (browser) values (?)"; $dbh->do($sql, {}, $ENV{HTTP_USER_AGENT}); # Quoted ... tolerable my $sql = sprintf "insert into hits (browser) values (%s)", $dbh->quot +e($ENV{HTTP_USER_AGENT}); $dbh->do($sql);
    It is trivial for users to modify their user agent string, never trust users.
      How do I best apply that in the context of:
      $Command = join(' ', 'EXEC', $SPROC, join(', ', @CHOICE[1 .. $elements_in_array])) . '';
      I have been given:
      my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC}; my $sth = $dbh->prepare($sql); $sth->execute(@CHOICE);
      But I don't understand how to apply it. Did the person that gave me this mean:
      $sth->execute($Command);
      ?
        You should be using a whitelist for the valid values of $SPROC, as was mentioned in several of the replies to your original question. The topic of bound parameters was also covered.

        You should go back to that node and read all of the replies carefully, and ask questions when one of them doesn't make sense to you. If you just copy and paste code to see if it works you will do yourself a great disservice.

        I have been given:

        my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC}; my $sth = $dbh->prepare($sql); $sth->execute(@CHOICE);

        But I don't understand how to apply it. Did the person that gave me this mean:

        $sth->execute($Command);

        No. I meant what I wrote. And I've tried twice to explain how it's used. But you seem determined not to understand :-)

        Let's have one last try.

        1. Create an SQL statement containing placeholders (marked by question marks) where you later want to insert values.
        2. Compile that SQL using $dbh->prepare. This returns a statement handle ($sth).
        3. Execute the statement using $sth->execute passing it a list of values - one value for each placeholder in the SQL statement,

        Does that help at all?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603485]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (7)
As of 2014-12-26 02:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (164 votes), past polls