Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: Re: Use placeholders. For SECURITY!

by runrig (Abbot)
on Nov 14, 2003 at 18:24 UTC ( #307142=note: print w/ replies, xml ) Need Help??


in reply to Re: Use placeholders. For SECURITY!
in thread Use placeholders. For SECURITY!

I suspect your definition of a "placeholder" is my definition of a "host variable".

They are essentially the same thing. Though when I think of 'host variables' (or bind variables), it's usually in languages that support embedding a named variable inside the sql statement, e.g. "select stuff from table where id_column = :id_number", and 'id_number' is a variable in the program. The Perl/DBI way is to use a question mark instead of a program variable (which is what many databases natively support anyway), then bind a value to it when (or before) you execute the statement. (some databases support named parameters which would look like a host variable, but in perl you'd still have to bind a value to it, so it wouldn't be an actual perl 'host' variable).

Placeholders, bind variables, host variables, or whatever you want to call them are a good idea in any programming language database API that supports them, and pasting raw unfiltered (and untrusted) user input into a SQL statement in any programming language is bad.


Comment on Re: Re: Use placeholders. For SECURITY!

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://307142]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (5)
As of 2014-07-29 06:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (211 votes), past polls