Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: Re: Preferred Way of Scrubbing User Input Before DB Write

by jk2addict (Chaplain)
on Feb 02, 2004 at 20:28 UTC ( [id://325984]=note: print w/replies, xml ) Need Help??


in reply to Re: Preferred Way of Scrubbing User Input Before DB Write
in thread Preferred Way of Scrubbing User Input Before DB Write

Good point. My concern is that this is not exactly safe if the Data Access Layer is unknown or not part of the package.

In my case I'm built on top of Class::DBI so as a 3rd party programmer, I have no idea whether Class::DBI is playing safe using placeholders and quote. Sure, I can look for myself in the source, but what if I change DAL to a completely different layer or module?

When in doubt, the wise decision would still be not to accept any user input unless I'm sure it's safe, long before I pass it into a DAL. For that matter, let's assume there is no DAL. Then sanitizing user input is still my job.

  • Comment on Re: Re: Preferred Way of Scrubbing User Input Before DB Write

Replies are listed 'Best First'.
Re: Re: Re: Preferred Way of Scrubbing User Input Before DB Write
by hardburn (Abbot) on Feb 02, 2004 at 20:45 UTC

    Class::DBI does use placeholders. Changing to a Perl-based DAL that doesn't use placeholders would be really, really stupid. DBI always supports placeholders (even if the underlieing database doesn't), and the additional security and caching support they provide make it reckless to not use them. If there is no DAL, then it's up to you to use placeholders.

    I'm not saying to ignore input checking (I always do it even when I know placeholders will be there), but to put the problem in perspective.

    ----
    I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
    -- Schemer

    : () { :|:& };:

    Note: All code is untested, unless otherwise stated

[reply]
[d/l]
      DBI always supports placeholders (even if the underlieing database doesn't)
      While this is mostly the case there are exceptions. One that is fairly significant given the number of people using MS-SQL is DBD::Sybase with FreeTDS, which does NOT support placeholders at the moment, because of a lack of support for placeholders in FreeTDS's version of the Client Library API (which is what DBD::Sybase uses.)

      Other systems or combination of front-ends and database engines may have similar problems.

      Michael

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://325984]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chilling in the Monastery: (3)
As of 2024-04-26 00:40 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found