*About quote():*
Many thanks for your reply, But what is the difference in;
select * from tablesname where x = ''; drop table tablename; --';
and
select * from tablesname where x = '\'; drop table tablename; --';
both the statements seems to be SQL injection attack. What is thet role
that quote played??
Regards,
Raheel.
On Wed, Aug 26, 2009 at 4:37 PM, Chas. Owens <chas.ow...@gmail.com> wrote:
> On Wed, Aug 26, 2009 at 06:20, Raheel Hassan<raheel.has...@gmail.com>
> wrote:
> > In CPAN documentation of DBI, i have problems in understanding the use, i
> > read the given text many times but it is not explained in detail, can any
> > one suggest me some other sites where i can get details and clear
> > expalnation of the under given functions. Also are there any other sites
> for
> > understanding CPAN modules if one could not get exactly what is expalined
> at
> > CPAN.
> >
> > $dbh->quote($Value)
> snip
>
> This escapes characters the database considers special such as '.
> Consider this code:
>
> my $value = get_value_from_user();
> my $sql = "select * from tablename where x = '$value'";
>
> That code is very bad. If the user passes in the string "'; drop
> table tablename; --" then the resulting SQL will be
>
> select * from tablesname where x = ''; drop table tablename; --';
>
> this is called an SQL injection attack. The quote method helps
> prevent this sort of thing:
>
> my $value = $dbh->quote(get_value_from_user());
> my $sql = "select * from tablename where x = '$value'";
>
> In this case, the SQL would be
>
> select * from tablesname where x = '\'; drop table tablename; --';
>
> You don't normally use the quote method directly. You should be using
> placeholders in your sql:
>
> my $sth = $dbh->prepare("select * from tablename where x = ?";
> $sth->execute(get_value_from_user());
>
> That code uses the quote method for you.
>
> snip
> > fetchrow_arrayref<
> http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchrow_arrayref>
> snip
>
> This fetches a row and returns it as an arrayref, so given a row with
> the values "a", "b", "c" the result would be
>
> my $row = ["a", "b", "c"];
>
> If you want to know more about references see [perlreftut][1],
> [perlref][2], and [perldsc][3], or ask about them here.
>
> snip
> > fetchrow_array<
> http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchrow_array>
> snip
>
> This fetches a row and returns it as an array, given the same row as
> above the result would be:
>
> my @row = ("a", "b", "c");
>
> snip
> > fetchrow_hashref<
> http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchrow_hashref>
> snip
>
> This fetches a row and returns it as a hashref. In this case we will
> need to know the names of the columns, so we will assume they are foo,
> bar, and baz:
>
> my $row = {
> foo => "a",
> bar => "b",
> baz => "c"
> };
>
> snip
> > fetchall_arrayref<
> http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchall_arrayref>
> > fetchall_hashref<
> http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchall_hashref>
> snip
>
> These both fetch all rows and return them as either arrayrefs or
> hashrefs and returns those rows in an arrayref. So, given the rows
> ("a", "b", "c"), ("d", "e", "f"), ("g", "h", "i"), they would return:
>
> my $data = [
> ["a", "b", "c"],
> ["d", "e", "f"],
> ["g", "h", "i"]
> ];
>
> my $data = [
> { foo => "a", bar => "b", baz => "c" },
> { foo => "d", bar => "e", baz => "f" },
> { foo => "g", bar => "h", baz => "i" }
> ];
>
> [1] : http://perldoc.perl.org/perlreftut.html
> [2] : http://perldoc.perl.org/perlref.html
> [3] : http://perldoc.perl.org/perldsc.html
>
> --
> Chas. Owens
> wonkden.net
> The most important skill a programmer can have is the ability to read.
>
