Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re^3: Simple question on SQL Injection

by AK108 (Friar)
on Oct 10, 2007 at 03:18 UTC ( #643856=note: print w/replies, xml ) Need Help??


in reply to Re^2: Simple question on SQL Injection
in thread Simple question on SQL Injection

You may be interested in SQL::Abstract. It allows you to build your query in Perl, and it returns the SQL along with the bind variables (for placeholders). A quick peek within the source revealed that it does quote table names and other values that you can't use placeholders for.

However, I am not familiar with DataObject. If it takes regular SQL and supports placeholders, SQL::Abstract could still be helpful.

Replies are listed 'Best First'.
Re^4: Simple question on SQL Injection
by naikonta (Curate) on Oct 10, 2007 at 19:03 UTC
    A quick peek within the source revealed that it does quote table names and other values that you can't use placeholders for.
    SQL::Abstract does quote table names and field names with whatever $self->{quote_char} is set to, which is default to empty string. At least MySQL allows to quote table and field names with backtick characters (`table_name`).
    use SQL::Abstract; my $SQL = SQL::Abstract->new(quote_char => '`');
    Quoting tables and fields (selet * from `user`) is different from quoting values (where name = 'bob'). So what's the problem? You can't use placeholders on tables and fields, after all, only values. From DBI docs:
    With most drivers, placeholders can’t be used for any element of a statement that would prevent the database server from validating the statement and creating a query execution plan for it. For example:
    "SELECT name, age FROM ?" # wrong (will probably fail) "SELECT name, ? FROM people" # wrong (but may not ’fail’)

    Open source softwares? Share and enjoy. Make profit from them if you can. Yet, share and enjoy!

      I was unaware that SQL::Abstract did not quote table names. However, I am aware of the difference between placeholders and quoting (as I did a bit of pure DBI before using SQL::Abstract in conjunction with it). Your message does show the difference better than mine.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://643856]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (1)
As of 2019-08-21 04:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?