Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re^4: Removing malicious HTML entities (now with more questions!)

by techcode (Hermit)
on Aug 19, 2008 at 21:53 UTC ( #705356=note: print w/ replies, xml ) Need Help??


in reply to Re^3: Removing malicious HTML entities (now with more questions!)
in thread Removing malicious HTML entities (now with more questions!)

It can do much more damage than just break your web page...

And yes - you should always use placeholders in your SQL.

Have you tried freelancing? Check out Scriptlance - I work there. For more info about Scriptlance and freelancing in general check out my home node.


Comment on Re^4: Removing malicious HTML entities (now with more questions!)
Re^5: Removing malicious HTML entities (now with more questions!)
by LesleyB (Friar) on Aug 20, 2008 at 09:35 UTC

    I would always use placeholders simply for the speed increase they offer, but does the use of them imply the placeholder content is, for want of a better phrase, SQL-escaped for the actual DB in use?

    My scan of the documentation didn't find that information for placeholders but seemed to imply that $db->quote() might. I would like to know for sure if placeholders also perform this function.

      Yes it does wrap '' around them. Which can lead to problems when you say want to call a function such as NOW() - because then you don't want it quoted.

      Have you tried freelancing? Check out Scriptlance - I work there. For more info about Scriptlance and freelancing in general check out my home node.
        It's hard to imagine a sensible application where an (untrusted) input data value for an SQL operation would properly include a call to an SQL-internal function. Something like "NOW()" would either be an invariant (hard-coded) piece of the SQL statement, or else would be something that is assembled and added to the SQL (or not) based on the presence/absence/value of some input parameter(s).

        In the latter case, the value(s) of the parameter(s) would not go directly into the SQL string, but would only be tested to figure out what function call(s), if any, should be added (as literals) to the SQL. Example:

        my @flds = ( qw/foo bar status/ ); my @vals = @param{@flds}; my $valstr = join( ",", ("?") x @flds ); if ( $param{timestamp} ) { push @flds, "timestamp"; $valstr .= ",NOW()"; } my $sql = "insert into mytable (" . join( ",", @flds ) . ") values ($v +alstr)"; my $sth = $dbh->prepare( $sql ); $sth->execute( @vals );
        There are other ways to handle this that would suffice (e.g. careful regex matches on untrusted values in order to include things in the SQL statement), but as a rule, the application should have a limited inventory of function calls that it supports/allows.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://705356]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (6)
As of 2014-11-27 01:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My preferred Perl binaries come from:














    Results (178 votes), past polls