Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re: Re: DBI Parameter Security

by pileswasp (Monk)
on Jul 13, 2001 at 21:29 UTC ( #96486=note: print w/replies, xml ) Need Help??


in reply to Re: DBI Parameter Security
in thread DBI Parameter Security

Thanks for the reply. That's what I expected for that particular example, but - excusing the naiive example above as only a 'for instance' - does anyone know of a way that, without extra checking on the part of the developer, such a statement could be passed into the d/b.

Replies are listed 'Best First'.
Re: Re: Re: DBI Parameter Security
by lhoward (Vicar) on Jul 13, 2001 at 21:31 UTC
    As long as you're using placeholders (and the DBI layer doesn't shortcut them), tehre is no way that data will leak through as commands to the database.

    Turning on DBI tracing you can see exactly what is happening

    <- prepare('select * from foo where bar=?' CODE)= DBI::st=HASH(0x81a25 +74) at testph.pl line 11. <- execute('plugh' CODE)= 1 at testph.pl line 12.
    You can from the trace see how the commands are passed to the database seprately from the data (using mySQL in this example). The DB is smart enough to not treat data as executable sql code.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://96486]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (9)
As of 2019-10-23 10:30 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?