Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^5: Making a regex case insensitive

by imp (Priest)
on Mar 06, 2007 at 18:49 UTC ( #603488=note: print w/ replies, xml ) Need Help??


in reply to Re^4: Making a regex case insensitive
in thread Making a regex case insensitive

You shouldn't ever directly include data that is provided by a user in your SQL. It should always be bound, or quoted where binding isn't available.

# Interpolated ... bad my $sql = "insert into hits (browser) values ('$ENV{HTTP_USER_AGENT}') +" $dbh->do($sql); # Bound ... best my $sql = "insert into hits (browser) values (?)"; $dbh->do($sql, {}, $ENV{HTTP_USER_AGENT}); # Quoted ... tolerable my $sql = sprintf "insert into hits (browser) values (%s)", $dbh->quot +e($ENV{HTTP_USER_AGENT}); $dbh->do($sql);
It is trivial for users to modify their user agent string, never trust users.


Comment on Re^5: Making a regex case insensitive
Download Code
Re^6: Making a regex case insensitive
by Win (Novice) on Mar 06, 2007 at 19:03 UTC
    How do I best apply that in the context of:
    $Command = join(' ', 'EXEC', $SPROC, join(', ', @CHOICE[1 .. $elements_in_array])) . '';
    I have been given:
    my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC}; my $sth = $dbh->prepare($sql); $sth->execute(@CHOICE);
    But I don't understand how to apply it. Did the person that gave me this mean:
    $sth->execute($Command);
    ?
      You should be using a whitelist for the valid values of $SPROC, as was mentioned in several of the replies to your original question. The topic of bound parameters was also covered.

      You should go back to that node and read all of the replies carefully, and ask questions when one of them doesn't make sense to you. If you just copy and paste code to see if it works you will do yourself a great disservice.

        I am using a white list. But was not able to impliment the place holders. I'll have another go.

      I have been given:

      my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC}; my $sth = $dbh->prepare($sql); $sth->execute(@CHOICE);

      But I don't understand how to apply it. Did the person that gave me this mean:

      $sth->execute($Command);

      No. I meant what I wrote. And I've tried twice to explain how it's used. But you seem determined not to understand :-)

      Let's have one last try.

      1. Create an SQL statement containing placeholders (marked by question marks) where you later want to insert values.
      2. Compile that SQL using $dbh->prepare. This returns a statement handle ($sth).
      3. Execute the statement using $sth->execute passing it a list of values - one value for each placeholder in the SQL statement,

      Does that help at all?

        The problem that I have with this method is that it produces the following error message. Does this mean that I have to change the SPROC to only receive strings or can I make changes at the Perl level?
        Syntax error converting the nvarchar value 'x' to a column of data typ +e int.
        Update: The placeholders show as follows:
        EXEC sprocname ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? +, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
        There was a string like the following: 'ICTABYXIDNUBXdMOCqgwbQRVJNZsfgVqOFrH' which does contain a X

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603488]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (8)
As of 2014-08-23 15:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (174 votes), past polls