Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options

Re^2: Multiple SQL statements in DBI

by tel2 (Pilgrim)
on Sep 07, 2012 at 21:21 UTC ( #992379=note: print w/replies, xml ) Need Help??

in reply to Re: Multiple SQL statements in DBI
in thread Multiple SQL statements in DBI

Sorry Dave - I should have made that clearer.  My reason is (hidden) in question 3.

Replies are listed 'Best First'.
Re^3: Multiple SQL statements in DBI
by davido (Archbishop) on Sep 07, 2012 at 21:57 UTC

    Ah, in that case:

    Placeholders and bind-values are what you should be using. They would prevent the possibility of an SQL injection attack. Even if the semicolon isn't the issue, there are other things user-supplied input could do when interpolated into the middle of an SQL statement. But placeholders eliminate the interpolation, and overcome that issue. While you might not be able to construct an attack with a semicolon, I wouldn't be too confident that you've eliminated all attack vectors. At least with placeholders you can cross the SQL injection attack off the list.


      Thanks Dave.  Yeah - I've been using placeholders & bind-variables, but did wonder about the need for those given my findings with DBI not allowing multiple statements, but you've semi-answered that, so thanks!

        Well for one thing a malicious user could supply the necessary values for interpolation, and in the last value, close the parents and continue on with an inner join that is constructed to reveal what you never intended to reveal, or to consume tons of resources. Imagine a chain of "order by".


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://992379]
and the shadows deepen...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (6)
As of 2018-04-26 03:05 GMT
Find Nodes?
    Voting Booth?