Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer

Re^3: Preventing malicious T-SQL injection attacks

by davorg (Chancellor)
on Mar 05, 2007 at 19:46 UTC ( #603286=note: print w/replies, xml ) Need Help??

in reply to Re^2: Preventing malicious T-SQL injection attacks
in thread Preventing malicious T-SQL injection attacks

I've tested this bit:

my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC};

It doesn't work. It produced a load of '?' in a row.

Erm... yes. That's what it is supposed to do. It produces an SQL statement with the correct number of placeholders in it (a placeholder is marked with a question mark).

What were you expecting it to produce?

Also, I am having problems adapting the code like follows:

my @procs = qw/recept/; unless (exists $procs{$SPROC}) { die "Unknown stored proc: $SPROC\n"; }

Clearly there is a difference between hashes and arrays when it comes to using the exist function.

Clearly :-)

For example. hashes are indexed with strings and arrays are indexed with integers. So trying to see if a string key exists in an array is always going to be doomed to failure.

But actually, that's not what you're doing is it? You're setting up an array and then looking for a key in a non-existant hash.

Has someone recommended that you use "strict" and "diagnostics" in your code? Because that would have explained what your problem is here.

Replies are listed 'Best First'.
Re^4: Preventing malicious T-SQL injection attacks
by Win (Novice) on Mar 06, 2007 at 09:25 UTC
    Now I am really confused because I have no idea how I can make use of that series of question marks.
      I shudder to ask this, as the answer in the past has always been no, have you read the documentation?


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603286]
[Discipulus]: silly one: can i dump all CORE functions?
[Corion]: Hmm - print for keys %CORE:: maybe?
[Corion]: Hm - nope, that only gives me GLOBAL:: as entry. Maybe you can't ...
[Discipulus]: just got GLOBAL::

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (10)
As of 2017-05-23 09:12 GMT
Find Nodes?
    Voting Booth?