Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re^3: Preventing malicious T-SQL injection attacks

by davorg (Chancellor)
on Mar 05, 2007 at 19:46 UTC ( #603286=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Preventing malicious T-SQL injection attacks
in thread Preventing malicious T-SQL injection attacks

I've tested this bit:

my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC};

It doesn't work. It produced a load of '?' in a row.

Erm... yes. That's what it is supposed to do. It produces an SQL statement with the correct number of placeholders in it (a placeholder is marked with a question mark).

What were you expecting it to produce?

Also, I am having problems adapting the code like follows:

my @procs = qw/recept/; unless (exists $procs{$SPROC}) { die "Unknown stored proc: $SPROC\n"; }

Clearly there is a difference between hashes and arrays when it comes to using the exist function.

Clearly :-)

For example. hashes are indexed with strings and arrays are indexed with integers. So trying to see if a string key exists in an array is always going to be doomed to failure.

But actually, that's not what you're doing is it? You're setting up an array and then looking for a key in a non-existant hash.

Has someone recommended that you use "strict" and "diagnostics" in your code? Because that would have explained what your problem is here.


Comment on Re^3: Preventing malicious T-SQL injection attacks
Select or Download Code
Re^4: Preventing malicious T-SQL injection attacks
by Win (Novice) on Mar 06, 2007 at 09:25 UTC
    Now I am really confused because I have no idea how I can make use of that series of question marks.
      I shudder to ask this, as the answer in the past has always been no, have you read the documentation?

      Martin

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603286]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (13)
As of 2014-10-21 20:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (110 votes), past polls