Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re: Use placeholders. For SECURITY!

by Anonymous Monk
on Nov 14, 2003 at 15:35 UTC ( #307067=note: print w/ replies, xml ) Need Help??


in reply to Use placeholders. For SECURITY!

Boo hiss. No explanation of what a placeholder is. While I could google for it, this article significantly lacks without a clear definition.

I suspect your definition of a "placeholder" is my definition of a "host variable".


Comment on Re: Use placeholders. For SECURITY!
Re: Re: Use placeholders. For SECURITY!
by talexb (Canon) on Nov 14, 2003 at 15:54 UTC
      Boo hiss. No explanation of what a placeholder is. While I could google for it, this article significantly lacks without a clear definition.

    And boo hiss to you too. You don't even need to go to Google to learn about placeholders -- just do a search on this site and you'll find plenty of explanations.

    And I suspect your definition of "technical know-how" relies more on trolling than on craftmanship.

    --t. alex
    Life is short: get busy!

    Update: Apologies all (especially original poster tilly) if this node seemed a little hard on the Anonymous Monk. I just thought it was odd that someone would go to the trouble of reading a DBI-related post without knowing what a placeholder was, then complain about it without doing any research.

      Why do you feel the need to get personal?

      I'm not a regular to this site (thusly, I don't plan on registering), but there seems to be some huge assumption that all of perlmonks.org readership comes from people that spend vast amounts of time on this site. I find my way here from time to time based on an interesting RSS headline that I would like to know more about.

      If the mentality on this site is that I need to have read all articles prior to this one to understand what the article is talking about (and thus, be a perlmonks.org expert, as I'm sure you are), and the other readers of this site are as hostile as you are, then it's time for me to move on.

      Good day to you.
          Why do you feel the need to get personal?

        Well, I guess we've veered into the humorous portion of the day, because it's hard to understand how my post could be construed as personal when you're posting as an Anonymous Monk. :)

          ... but there seems to be some huge assumption that all of perlmonks.org readership comes from people that spend vast amounts of time on this site.

        Not really, we just assume that if you are commenting on something that you have something useful to say .. and that presumes that you understand the technical background. The original post had links to other nodes with relevant information, which you should have read if you were going to respond and not waste everyone's time.

          If the mentality on this site is that I need to have read all articles prior to this one to understand what the article is talking about (and thus, be a perlmonks.org expert, as I'm sure you are), and the other readers of this site are as hostile as you are, then it's time for me to move on.

        Yes, surprisingly, we do expect posters to make intelligent, informed comments. It keeps the noise level down. And if you have misinterpreted my polite remonstrations and reasoning as hostility, your skin is way too thin.

        --t. alex
        Life is short: get busy!
      That was seriously uncalled for. The AM's point was good, and I must say that had I run across a forum where someone was posting on why host variables are a good thing, I would have been left similarly confused. Yes, you can search. But you shouldn't have to.

      Remember that general Perl knowledge does not imply knowledge of various APIs. And I know of top-flight Perl programmers who have never used SQL. If someone has used SQL extensively, but from C, then being introduced to a new vocabulary to understand an old concept is going to leave you unhappy with good reason.

      Incidentally host variables are not quite placeholders (they use the same API in DBI, the syntax is a tad different - :foo vs ? - and the placeholder syntax is more portable), but they are close enough to get the point.

      Update: Apologies all (especially original poster tilly) if this node seemed a little hard on the Anonymous Monk. I just thought it was odd that someone would go to the trouble of reading a DBI-related post without knowing what a placeholder was, then complain about it without doing any research.
      I'm the Anonymous Monk you've been corresponding with -- I just noticed your update. Can you clarify for me where it indicates that this is a DBI thread?

      I found this article via an RSS link which wasn't flagged as DBI. DBI is mentioned very few times in the _comments_ and only twice (after update) in the article. The original instance of it didn't actually relate placeholders and DBI, only saying that installing the latest DBI offers more security.

      Thank you tilly for adding the newbie-friendly explanation.

      Sorry to have eaten up so much time with this thread, but I appreciate everyone's feedback.
          I'm the Anonymous Monk you've been corresponding with -- I just noticed your update. Can you clarify for me where it indicates that this is a DBI thread?

        In fact, the original post didn't identify placeholders at all, something that brother tilly has added to the post. I am totally at fault for jumping on your innocent comment with hob-nailed boots. I hope you accept this apology -- I have been working with DBI almost exclusively since 1998, so placeholders are as obvious to me as the print statement.

        They have a good saying in Texas -- "Be sure your words are soft and sweet, in case you have to eat them some day." Sure wish I'd remembered that when I clicked on 'Reply'. You can bet I'll think about it in the future.

        --t. alex
        Life is short: get busy!
Re: Re: Use placeholders. For SECURITY!
by runrig (Abbot) on Nov 14, 2003 at 18:24 UTC
    I suspect your definition of a "placeholder" is my definition of a "host variable".

    They are essentially the same thing. Though when I think of 'host variables' (or bind variables), it's usually in languages that support embedding a named variable inside the sql statement, e.g. "select stuff from table where id_column = :id_number", and 'id_number' is a variable in the program. The Perl/DBI way is to use a question mark instead of a program variable (which is what many databases natively support anyway), then bind a value to it when (or before) you execute the statement. (some databases support named parameters which would look like a host variable, but in perl you'd still have to bind a value to it, so it wouldn't be an actual perl 'host' variable).

    Placeholders, bind variables, host variables, or whatever you want to call them are a good idea in any programming language database API that supports them, and pasting raw unfiltered (and untrusted) user input into a SQL statement in any programming language is bad.

Re: Re: Use placeholders. For SECURITY!
by tilly (Archbishop) on Nov 14, 2003 at 18:31 UTC
    Good point, and you're right about what a placeholder is. My bad assumption was that most of the people this was addressed to have read the documentation for DBI and are familiar with its terminology.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://307067]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (12)
As of 2014-12-26 12:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (171 votes), past polls