Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re: RFC:Tutorial: Using jQuery, Json, and Perl for Web development

by dws (Chancellor)
on May 29, 2010 at 04:22 UTC ( #842129=note: print w/ replies, xml ) Need Help??


in reply to RFC:Tutorial: Using jQuery, Json, and Perl for Web development

Great end-to-end example, with at least problem. In record, you are escaping the values in the query that you're constructing, but not the keys. That opens the door to an injection attack.


Comment on Re: RFC:Tutorial: Using jQuery, Json, and Perl for Web development
Download Code
Re^2: RFC:Tutorial: Using jQuery, Json, and Perl for Web development
by bradcathey (Prior) on May 29, 2010 at 14:06 UTC

    Point taken, but not sure how to satisfy. I just spent the last hour or so trying to find out exactly what needs to happen.

    I learned this technique from chromatic's venerable piece DBI is OK several years ago. Just came across Updating my database, where keys are escaped, but not quote as elegantly as I had hoped. Also looked again at $dbh->quote() but not seeing how that works with keys.

    Can you point me in the right direction on this one? I'd appreciate it because I use this approach a lot. Thanks.

    —Brad
    "The important work of moving the world forward does not wait to be done by perfect men." George Eliot

      $dbh->quote_identifier() should be sufficient. $dbh->quote() is only for values, and only for those rare cases where placeholders cannot be used.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://842129]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (7)
As of 2014-12-27 23:47 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (177 votes), past polls