Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Re: Re: Use placeholders. For SECURITY!

by runrig (Abbot)
on Nov 14, 2003 at 18:24 UTC ( #307142=note: print w/ replies, xml ) Need Help??


in reply to Re: Use placeholders. For SECURITY!
in thread Use placeholders. For SECURITY!

I suspect your definition of a "placeholder" is my definition of a "host variable".

They are essentially the same thing. Though when I think of 'host variables' (or bind variables), it's usually in languages that support embedding a named variable inside the sql statement, e.g. "select stuff from table where id_column = :id_number", and 'id_number' is a variable in the program. The Perl/DBI way is to use a question mark instead of a program variable (which is what many databases natively support anyway), then bind a value to it when (or before) you execute the statement. (some databases support named parameters which would look like a host variable, but in perl you'd still have to bind a value to it, so it wouldn't be an actual perl 'host' variable).

Placeholders, bind variables, host variables, or whatever you want to call them are a good idea in any programming language database API that supports them, and pasting raw unfiltered (and untrusted) user input into a SQL statement in any programming language is bad.


Comment on Re: Re: Use placeholders. For SECURITY!

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://307142]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (6)
As of 2015-07-05 13:43 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (67 votes), past polls