Re^2: DBI & MySQL Login Test

in reply to Re: DBI & MySQL Login Test
in thread DBI & MySQL Login Test

Hmm, that's one way of protecting against SQL injection, I guess. But it means that you'd need to run this kind of query for all SQL queries that use external data.

And it means any internal users who simply want to query the db - using Crystal Reports, Business Objects or a myriad of other tools, now can't.

Comment on Re^2: DBI & MySQL Login Test

Replies are listed 'Best First'.
Re^3: DBI & MySQL Login Test by Sewi (Friar) on Aug 26, 2009 at 12:29 UTC
Sorry, but you're wrong :-) I'm using the HEX representation only between the Perl script and the SQL-Server. You could still do a `SELECT LastLogin FROM Users WHERE Username="astroboy"` [download] Note the " around your name, they make this a string. Try this with your SQL-Server: `SELECT 1 WHERE "astroboy"=0x617374726f626f79` [download] PS: You could also use SQL commands to play with your string, because the SQL server trade it as a plain string, not a list of HEX-codes: `SELECT 1 FROM Users WHERE LOWER(Username)=LOWER(0x617374726f626f79) AN +D Password=0x617374726f626f79` [download] This would match astroboy, ASTROBOY and AstroBoy in the DB, but not 0x617374726f626f79 or 0x617374726F626F79.	[reply] [d/l] [select]
Re^4: DBI & MySQL Login Test by astroboy (Chaplain) on Aug 26, 2009 at 14:59 UTC
oh, ok. I couldn't get this to work with MySQL	[reply]
Re^4: DBI & MySQL Login Test by astroboy (Chaplain) on Aug 26, 2009 at 15:24 UTC
Whoops, when I changed to MySQL syntax I got it to work. Very cool.	[reply]

In Section Seekers of Perl Wisdom