Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Re: Re: Use placeholders. For SECURITY!

by runrig (Abbot)
on Nov 14, 2003 at 18:24 UTC ( #307142=note: print w/replies, xml ) Need Help??

in reply to Re: Use placeholders. For SECURITY!
in thread Use placeholders. For SECURITY!

I suspect your definition of a "placeholder" is my definition of a "host variable".

They are essentially the same thing. Though when I think of 'host variables' (or bind variables), it's usually in languages that support embedding a named variable inside the sql statement, e.g. "select stuff from table where id_column = :id_number", and 'id_number' is a variable in the program. The Perl/DBI way is to use a question mark instead of a program variable (which is what many databases natively support anyway), then bind a value to it when (or before) you execute the statement. (some databases support named parameters which would look like a host variable, but in perl you'd still have to bind a value to it, so it wouldn't be an actual perl 'host' variable).

Placeholders, bind variables, host variables, or whatever you want to call them are a good idea in any programming language database API that supports them, and pasting raw unfiltered (and untrusted) user input into a SQL statement in any programming language is bad.

  • Comment on Re: Re: Use placeholders. For SECURITY!

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://307142]
[LanX]: suitable what? ... insult?
[Discipulus]: goodby stress..
LanX you always reminded me of Sean Connery. ..
shmem .oO( someday I'll do something... and then I'll make it big. Now is the time! )

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (10)
As of 2018-04-24 11:23 GMT
Find Nodes?
    Voting Booth?