in reply to Re: Counting rows Sqlite
in thread Counting rows Sqlite
I would prefer that DBI issued a warning or even refuse to work with inline values, but that would add a lot of overhead, as DBI would need to actually parse the SQL statement.
Worse than that, it would simply be impossible to do.
On receiving the query "SELECT * FROM foo WHERE bar = 'baz'", how would DBI know whether it had been called as $dbh->selectall_arrayref("SELECT * FROM foo WHERE bar = 'baz'"); (which is fine - the baz is a hard-coded literal) or as $dbh->selectall_arrayref("SELECT * FROM foo WHERE bar = '$myvar'"); (which is potentially dangerous)? Even if it could make that determination, in the latter case, how would it know whether $myvar's value came from user input (unsafe) or the statement my $myvar = 'baz'; (another hard-coded literal, so safe)?
We've already got taint mode and you can set DBI to reject tainted values (DBI->connect(..., { TaintIn => 1 })), but that's about as close as you're likely to be able to get.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re^3: Counting rows Sqlite
by Corion (Patriarch) on May 10, 2010 at 10:32 UTC | |
by dsheroh (Monsignor) on May 11, 2010 at 07:15 UTC | |
Re^3: Counting rows Sqlite
by afoken (Chancellor) on May 11, 2010 at 05:54 UTC | |
by dsheroh (Monsignor) on May 11, 2010 at 07:22 UTC | |
by wrog (Friar) on Jan 06, 2012 at 00:12 UTC |