Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
A quick peek within the source revealed that it does quote table names and other values that you can't use placeholders for.
SQL::Abstract does quote table names and field names with whatever $self->{quote_char} is set to, which is default to empty string. At least MySQL allows to quote table and field names with backtick characters (`table_name`).
use SQL::Abstract; my $SQL = SQL::Abstract->new(quote_char => '`');
Quoting tables and fields (selet * from `user`) is different from quoting values (where name = 'bob'). So what's the problem? You can't use placeholders on tables and fields, after all, only values. From DBI docs:
With most drivers, placeholders canít be used for any element of a statement that would prevent the database server from validating the statement and creating a query execution plan for it. For example:
"SELECT name, age FROM ?" # wrong (will probably fail) "SELECT name, ? FROM people" # wrong (but may not ífailí)

Open source softwares? Share and enjoy. Make profit from them if you can. Yet, share and enjoy!


In reply to Re^4: Simple question on SQL Injection by naikonta
in thread Simple question on SQL Injection by radix

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others making s'mores by the fire in the courtyard of the Monastery: (3)
    As of 2019-08-18 19:02 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?
      If you were the first to set foot on the Moon, what would be your epigram?






      Results (135 votes). Check out past polls.

      Notices?