http://www.perlmonks.org?node_id=603255


in reply to Re: Preventing malicious T-SQL injection attacks
in thread Preventing malicious T-SQL injection attacks

This node falls below the community's threshold of quality. You may see it by logging in.

Replies are listed 'Best First'.
Re^3: Preventing malicious T-SQL injection attacks
by davorg (Chancellor) on Mar 05, 2007 at 19:46 UTC

    I've tested this bit:

    my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC};

    It doesn't work. It produced a load of '?' in a row.

    Erm... yes. That's what it is supposed to do. It produces an SQL statement with the correct number of placeholders in it (a placeholder is marked with a question mark).

    What were you expecting it to produce?

    Also, I am having problems adapting the code like follows:

    my @procs = qw/recept/;

unless (exists $procs{$SPROC}) {
  die "Unknown stored proc: $SPROC\n";
}

    [download]

    Clearly there is a difference between hashes and arrays when it comes to using the exist function.

    Clearly :-)

    For example. hashes are indexed with strings and arrays are indexed with integers. So trying to see if a string key exists in an array is always going to be doomed to failure.

    But actually, that's not what you're doing is it? You're setting up an array and then looking for a key in a non-existant hash.

    Has someone recommended that you use "strict" and "diagnostics" in your code? Because that would have explained what your problem is here.

    --

    <http://dave.org.uk>

    "The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg
[reply]
[d/l]
[select]
    A reply falls below the community's threshold of quality. You may see it by logging in.

In Section Seekers of Perl Wisdom