in reply to RFC:Tutorial: Using jQuery, Json, and Perl for Web development

Great end-to-end example, with at least problem. In record, you are escaping the values in the query that you're constructing, but not the keys. That opens the door to an injection attack.
  • Comment on Re: RFC:Tutorial: Using jQuery, Json, and Perl for Web development
  • Download Code

Replies are listed 'Best First'.
Re^2: RFC:Tutorial: Using jQuery, Json, and Perl for Web development
by bradcathey (Prior) on May 29, 2010 at 14:06 UTC

    Point taken, but not sure how to satisfy. I just spent the last hour or so trying to find out exactly what needs to happen.

    I learned this technique from chromatic's venerable piece DBI is OK several years ago. Just came across Updating my database, where keys are escaped, but not quote as elegantly as I had hoped. Also looked again at $dbh->quote() but not seeing how that works with keys.

    Can you point me in the right direction on this one? I'd appreciate it because I use this approach a lot. Thanks.

    —Brad
    "The important work of moving the world forward does not wait to be done by perfect men." George Eliot

      $dbh->quote_identifier() should be sufficient. $dbh->quote() is only for values, and only for those rare cases where placeholders cannot be used.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)