Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re^3: Preventing malicious T-SQL injection attacks

by davorg (Chancellor)
on Mar 05, 2007 at 14:58 UTC ( #603224=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Preventing malicious T-SQL injection attacks
in thread Preventing malicious T-SQL injection attacks

Why is the hash labels ordered 2,0,1 ?

I thought the comments above the hash explained that. "%procs contains the names of the valid stored procs together with the number of parameters each requires". The key of each hash entry is the name of a valid stored proc. The value associated with the key is the number of parameters that each stored proc requires. The actual numbers that I used (2, 0, 1) were just sample numbers that I made up at random.

why do we have sth->execute(@CHOICE);

That is how you put values into the placeholders in an SQL statement. So if you have an SQL statement that is something like select foo from bar where baz = ? then you pass the value for baz as a parameter to the execute function. If you have more than one placeholder (as we do in this case) then we can pass a list (or, in this example, an array that is converted to a list) instead.

Of course, you could have got all this from the DBI documentation.

Why does the EXEC die if there is not the expected number of elements in the array

If you have placeholders in your SQL statement, then execute must be passed enough parameters to match all of the placeholders. If there are too many or too few parameters then execute will throw a fatal error.


Comment on Re^3: Preventing malicious T-SQL injection attacks
Re^4: Preventing malicious T-SQL injection attacks
by Win (Novice) on Mar 05, 2007 at 15:34 UTC
    Can I also question the need to specify the number of variables that each SPROC can take. Because a SPROC won't allow an execution if an incorrect number of variables is specified.

      You can question whatever you want. It's your code, after all.

      But you need to know the number of parameters in order to create an SQL string with the correct number of placeholders. So DBI checks the number of parameters for you for free.

      You get an extra layer of defensive programming for no cost. I can't see any reason why you wouldn't want to make use of it.

        I think that it would be good when SELECT is used in a similar circumstance. But when that particular feature is used with EXEC I believe it is redundant code and therefore is best not used.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603224]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (6)
As of 2014-10-26 08:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (152 votes), past polls