pileswasp has asked for the wisdom of the Perl Monks concerning the following question:
As I understand it the DBI gives a bit of a syntax check in the prepare() method so any semi colons or whatnot in odd places is going to cause an error, but is there any way while doing something like:
my $sth = $dbh->prepare('SELECT * FROM foo WHERE bar = ?'); $sth->execute($baz)
that someone could pass in unfortunate extra bits in $baz like, for instance, '; DROP TABLE big_important_one' on the back of that parameter (in the same way as with opening files you can pass '; rm -rf *')?
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: DBI Parameter Security
by lhoward (Vicar) on Jul 13, 2001 at 21:23 UTC | |
by pileswasp (Monk) on Jul 13, 2001 at 21:29 UTC | |
by lhoward (Vicar) on Jul 13, 2001 at 21:31 UTC | |
SQL Injection Attacks
by pileswasp (Monk) on Feb 03, 2003 at 13:00 UTC | |
Re: DBI Parameter Security
by MZSanford (Curate) on Jul 13, 2001 at 21:30 UTC | |
by chipmunk (Parson) on Jul 14, 2001 at 00:03 UTC | |
by MZSanford (Curate) on Jul 13, 2001 at 21:33 UTC |
Back to
Seekers of Perl Wisdom