Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

by sundialsvc4 (Abbot)
on Jan 10, 2008 at 03:06 UTC ( #661545=note: print w/ replies, xml ) Need Help??


in reply to Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

Here are my thoughts...

  1. You should not rely upon what a particular DBI-implementation actually does with “a parameterized query.”
  2. Nevertheless... you should know your own business. You should know what parameters you are expecting, and for each one you should know (a) that the value is “a scalar” and (b) what regular-expression pattern it should match.

Both of these considerations will be “specific to your application,” and therefore you should bear the first level of responsibility for ensuring conformance to them.


Comment on Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://661545]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (8)
As of 2014-12-21 11:37 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (104 votes), past polls