untainting or encoding for shelled sqlplus updateby goibhniu (Hermit)
|on May 15, 2008 at 18:40 UTC||Need Help??|
goibhniu has asked for the
wisdom of the Perl Monks concerning the following question:
I have a piece of "Other People's Code" that I'm maintaining. They updates Oracle by shelling out to sqlplus. It's not encoding the field values. If I try to update a field with a value that contains, for instance, a single-quote ('), it messes up the sql statement.
I'd like to not refactor to use DBI if I don't have to. What library should I grab from CPAN to do the encoding? Should I be searching for phrases like "encoding" Or "untainting"?
Sorry I don't have a code snippet, the place where the input is validated is several function calls away from the place where the sqlplus command is shelled. If needed, I'll work on an example.
#my sig used to say 'I humbly seek wisdom. '. Now it says:
I humbly seek wisdom.