Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
It is a judgement call, but I would call it still adviseable.

Your validation will not let through anything that can trigger a successful SQL injection attack. And you are therefore safe in not using placeholders. But other fields with different validations are not safe to use because they allow quote marks. If you are in the habit of skipping placeholders when not needed, then you are more likely to omit them when you do need them. Worse still, even if you don't, people who follow you are more likely to not understand the difference and get it wrong.

Further there is a maintainance issue. Suppose that you did the above for lastname. And then a customer named O'Connell complains about your application not allowing him to use his name. Well whoever gets the change request makes the obvious fix, and it is so simple that they don't really test it. (Yeah, I know..this kind of stuff happens in real life though. Bear with me.) And now your perfectly safe code has become unsafe instead. Why risk it?

Of course this is all in addition to major performance gains with some databases. Yeah, I know and have given the optimization rant plenty of times. But an issue that routinely causes a single point of failure in key systems to fail is worth being aware of.

In reply to Re: Re: Use placeholders. For SECURITY! by tilly
in thread Use placeholders. For SECURITY! by tilly

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others about the Monastery: (7)
    As of 2018-05-24 09:05 GMT
    Find Nodes?
      Voting Booth?