Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Re^4: Making a regex case insensitive

by Win (Novice)
on Mar 06, 2007 at 18:40 UTC ( #603485=note: print w/replies, xml ) Need Help??

in reply to Re^3: Making a regex case insensitive
in thread Making a regex case insensitive

Are you suggesting that I should check each entry with a tight regex?

It's a semi common mistake to include $ENV{HTTP_REFERER} or $ENV{HTTP_USER_AGENT} in the sql unquoted.

I havenít a clue what you mean by that.

Replies are listed 'Best First'.
Re^5: Making a regex case insensitive
by imp (Priest) on Mar 06, 2007 at 18:49 UTC
    You shouldn't ever directly include data that is provided by a user in your SQL. It should always be bound, or quoted where binding isn't available.
    # Interpolated ... bad my $sql = "insert into hits (browser) values ('$ENV{HTTP_USER_AGENT}') +" $dbh->do($sql); # Bound ... best my $sql = "insert into hits (browser) values (?)"; $dbh->do($sql, {}, $ENV{HTTP_USER_AGENT}); # Quoted ... tolerable my $sql = sprintf "insert into hits (browser) values (%s)", $dbh->quot +e($ENV{HTTP_USER_AGENT}); $dbh->do($sql);
    It is trivial for users to modify their user agent string, never trust users.
      How do I best apply that in the context of:
      $Command = join(' ', 'EXEC', $SPROC, join(', ', @CHOICE[1 .. $elements_in_array])) . '';
      I have been given:
      my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC}; my $sth = $dbh->prepare($sql); $sth->execute(@CHOICE);
      But I don't understand how to apply it. Did the person that gave me this mean:

        I have been given:

        my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC}; my $sth = $dbh->prepare($sql); $sth->execute(@CHOICE);

        But I don't understand how to apply it. Did the person that gave me this mean:


        No. I meant what I wrote. And I've tried twice to explain how it's used. But you seem determined not to understand :-)

        Let's have one last try.

        1. Create an SQL statement containing placeholders (marked by question marks) where you later want to insert values.
        2. Compile that SQL using $dbh->prepare. This returns a statement handle ($sth).
        3. Execute the statement using $sth->execute passing it a list of values - one value for each placeholder in the SQL statement,

        Does that help at all?

        You should be using a whitelist for the valid values of $SPROC, as was mentioned in several of the replies to your original question. The topic of bound parameters was also covered.

        You should go back to that node and read all of the replies carefully, and ask questions when one of them doesn't make sense to you. If you just copy and paste code to see if it works you will do yourself a great disservice.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603485]
[james28909]: but then you have the others as well
[Lady_Aleena]: Renaming things like get_THAC0 to just THAC0 was easy. These are harder.
[james28909]: consolidate the three subs into one
[Lady_Aleena]: Um, what?
[james28909]: check is is data or hash or array and do tasks then return needed data
[Lady_Aleena]: james28909, you might want to look at the other two on my scratchpad.

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (5)
As of 2017-05-24 04:48 GMT
Find Nodes?
    Voting Booth?