in reply to Re^3: DBI parameterized database query with comma seperated list
in thread DBI parameterized database query with comma seperated list
Reread the 'dynamic' SQL above. Note that the dynamic component is the number of placeholders, and so there is no attack surface exposed. There are safe and robust ways to do dynamic SQL; it's just always important to understand how to fundamentally limit what could possibly be included. I expect your proposal would bypass the Perl escaping layer entirely, thus increasing the number of attack vectors.
<pedantic>Technically, there is additional attack surface, since you could create some kind of denial of service based upon a really long query, but that's really getting into the weeds.</pedantic>
#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re^5: DBI parameterized database query with comma seperated list
by Pope-O-Matik (Pilgrim) on Dec 21, 2015 at 11:28 UTC | |
by kennethk (Abbot) on Dec 21, 2015 at 23:23 UTC | |
by Pope-O-Matik (Pilgrim) on Dec 22, 2015 at 04:44 UTC |
In Section
Seekers of Perl Wisdom