Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re: Mysql queries with ' and "

by sundialsvc4 (Abbot)
on Mar 13, 2014 at 12:14 UTC ( [id://1078175]=note: print w/replies, xml ) Need Help??


in reply to Mysql queries with ' and "

Placeholders are the only way to deal with this matter, to avoid the Bobby Tables problem.   (The cartoon on the front page of the site at this link says it all.)

What if the value that made it into $count ... by whatever means ... consisted of:   “23); DROP TABLE arabic_corpus;”??   If your application connects to the database with a user-id powerful enough to issue a DROP TABLE statement and have it “stick,” your table is now gone.   (And unfortunately, many applications built by lazy programmers simply connect with a single user-id that is all-powerful.)   SQL injection ...

And by the way, another good reason is efficiency.   prepare() a statement-handle once, for a statement that includes placeholders.   Then, repeatedly execute the prepared statement, changing the placeholder values as often as necessary.   The overhead of preparing the statement (such as it is ...) occurs only one time.   And, if you put those inserts into a transaction of reasonable size (when using certain kinds of databases), now you would really see some improved speed.

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1078175]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (4)
As of 2024-04-19 03:04 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found