Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re^2: Preventing malicious T-SQL injection attacks

by Win (Novice)
on Mar 05, 2007 at 14:30 UTC ( #603215=note: print w/replies, xml ) Need Help??

in reply to Re: Preventing malicious T-SQL injection attacks
in thread Preventing malicious T-SQL injection attacks

Thanks for your post which raises useful points. I have three questions. Why is the hash labels ordered 2,0,1 (I'm very easily confused) ? Also, why do we have sth->execute(@CHOICE);. And, why does the EXEC die if there is not the expected number of elements in the array. Is that because of the prepare statement?

Replies are listed 'Best First'.
Re^3: Preventing malicious T-SQL injection attacks
by davorg (Chancellor) on Mar 05, 2007 at 14:58 UTC
    Why is the hash labels ordered 2,0,1 ?

    I thought the comments above the hash explained that. "%procs contains the names of the valid stored procs together with the number of parameters each requires". The key of each hash entry is the name of a valid stored proc. The value associated with the key is the number of parameters that each stored proc requires. The actual numbers that I used (2, 0, 1) were just sample numbers that I made up at random.

    why do we have sth->execute(@CHOICE);

    That is how you put values into the placeholders in an SQL statement. So if you have an SQL statement that is something like select foo from bar where baz = ? then you pass the value for baz as a parameter to the execute function. If you have more than one placeholder (as we do in this case) then we can pass a list (or, in this example, an array that is converted to a list) instead.

    Of course, you could have got all this from the DBI documentation.

    Why does the EXEC die if there is not the expected number of elements in the array

    If you have placeholders in your SQL statement, then execute must be passed enough parameters to match all of the placeholders. If there are too many or too few parameters then execute will throw a fatal error.

      Can I also question the need to specify the number of variables that each SPROC can take. Because a SPROC won't allow an execution if an incorrect number of variables is specified.

        You can question whatever you want. It's your code, after all.

        But you need to know the number of parameters in order to create an SQL string with the correct number of placeholders. So DBI checks the number of parameters for you for free.

        You get an extra layer of defensive programming for no cost. I can't see any reason why you wouldn't want to make use of it.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603215]
Discipulus spent ~3 hours on the roof.. with mediocre results..
[Eily]: what were you trying to do on the roof Discipulus?
[Eily]: if I had done the same here, I'd contain a swimming-pool worth of water by now...
[Discipulus]: i put some shodowing cloth against the killer sun. but i'm still not happy with this
Discipulus roof? or terrace? well is flat anyway, parallel to the ground
[Eily]: upper ground :P
[marto]: erix [id://1193617| pretty much
[marto]: err pretty much

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (9)
As of 2017-06-29 12:58 GMT
Find Nodes?
    Voting Booth?
    How many monitors do you use while coding?

    Results (665 votes). Check out past polls.