Don't ask to ask, just ask | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
Tainting would also have been my answer to the problem of mixing untrusted user input with SQL fragments. For constants (your "hard-coded literals"), I really don't care. I've used DBI nearly daily in the last few years, and I rarely needed constants. And for the few cases where I really had constants, I replaced them with placeholders and a constant bind value just because I have the habit to pass all values using placeholders. So having DBI warn or die when it finds a string or number literal in an SQL statement would not hurt much, it would just force you to pass even constants via placeholders. Of course, this "paranoia mode" would break some existing code, and it needs to be disabled by default for a long time. Any by the way: Because no user code needs the $dbh->quote() method in "paranoia mode", DBI should warn or die when non-DBD code calls this method. I see a different problem that really blocks the implementation of this "paranoia mode": The different SQL dialects. For example, it is possible and sometimes needed to create PL/SQL code via DBI/DBD::Oracle, and that code may legally contain any hard-coded literal. So the actual parsing has to be done in the DBD code, at least for those special cases. DBI code may provide a default parser, for DBDs that don't have those special cases. Alexander
-- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-) In reply to Re^3: Counting rows Sqlite
by afoken
|
|