http://www.perlmonks.org?node_id=396346

awohld has asked for the wisdom of the Perl Monks concerning the following question:

Here is a script I made to do database inserts. Should I limit the amount of data that can be posted to prevent buffer overflows? I guess that there shouldn't be anymore than 30,000 characters in the text area so I was figuring using $CGI::POST_MAX = 30000. I did this assuming that 30,000 ASCII characters assuming that 1 ASCII character is 1 byte.

Also I think my query is immune from SQL injection attacks. Is it?

#!/usr/bin/perl -wT use DBI; use strict; use CGI; $CGI::POST_MAX = 30000; use POSIX 'strftime'; my $q = CGI->new(); my $id = $q->param ('id'); my $other_comments = $q->param ('other_comments'); my $date = strftime( "%m/%d/%Y",localtime(time) ); ##Start database connections########################## my $database = "database"; my $db_server = "localhost"; my $user = "user"; my $password = "password"; ##Connect to database, insert statement, & disconnect## my $dbh = DBI->connect("DBI:mysql:$database:$db_server", $user, $passw +ord); my $statement = "INSERT INTO database (id1, comnt, date1) VALUES (?,?, +?)"; my $sth; $sth = $dbh->prepare($statement) or die "Couldn't prepare the query: $ +sth->errstr"; my $rv = $sth->execute($id,$other_comments,$date) or die "Couldn't exe +cute query: $dbh->errstr"; my $rc = $sth->finish; $rc = $dbh->disconnect; ####################################################### print "Content-type: text/html\n\n"; print $date;