in reply to Re^3: Simple question on SQL Injection
in thread Simple question on SQL Injection

A quick peek within the source revealed that it does quote table names and other values that you can't use placeholders for.
SQL::Abstract does quote table names and field names with whatever $self->{quote_char} is set to, which is default to empty string. At least MySQL allows to quote table and field names with backtick characters (`table_name`).
use SQL::Abstract; my $SQL = SQL::Abstract->new(quote_char => '`');
Quoting tables and fields (selet * from `user`) is different from quoting values (where name = 'bob'). So what's the problem? You can't use placeholders on tables and fields, after all, only values. From DBI docs:
With most drivers, placeholders canít be used for any element of a statement that would prevent the database server from validating the statement and creating a query execution plan for it. For example:
"SELECT name, age FROM ?" # wrong (will probably fail) "SELECT name, ? FROM people" # wrong (but may not ífailí)

Open source softwares? Share and enjoy. Make profit from them if you can. Yet, share and enjoy!