On Thu, 2009-08-27 at 10:38 +0200, Raheel Hassan wrote: > *About quote():* > Many thanks for your reply, But what is the difference in; > select * from tablesname where x = ''; drop table tablename; --'; > and > select * from tablesname where x = '\'; drop table tablename; --'; > both the statements seems to be SQL injection attack. What is thet role > that quote played?? > > > Regards, > Raheel. > >
No, they're not the same. In the first statement, x is given an empty value (''), followed by a new command. In the second select statement x is given the string: \'; drop table tablename; -- The leading \ tells the database server that the following ' is not special, ie, not the closing quote or end of the value string. Instead it treats it as just a regular part of the string, such that the value passed becomes: '; drop table tablename; -- It's unlikely you'll have such a string stored in field x ;-) HTH Tim Bowden BTW, please don't top post. It ruins the flow of the conversation. > > > On Wed, Aug 26, 2009 at 4:37 PM, Chas. Owens <chas.ow...@gmail.com> wrote: > > > On Wed, Aug 26, 2009 at 06:20, Raheel Hassan<raheel.has...@gmail.com> > > wrote: > > > In CPAN documentation of DBI, i have problems in understanding the use, i > > > read the given text many times but it is not explained in detail, can any > > > one suggest me some other sites where i can get details and clear > > > expalnation of the under given functions. Also are there any other sites > > for > > > understanding CPAN modules if one could not get exactly what is expalined > > at > > > CPAN. > > > > > > $dbh->quote($Value) > > snip > > > > This escapes characters the database considers special such as '. > > Consider this code: > > > > my $value = get_value_from_user(); > > my $sql = "select * from tablename where x = '$value'"; > > > > That code is very bad. If the user passes in the string "'; drop > > table tablename; --" then the resulting SQL will be > > > > select * from tablesname where x = ''; drop table tablename; --'; > > > > this is called an SQL injection attack. The quote method helps > > prevent this sort of thing: > > > > my $value = $dbh->quote(get_value_from_user()); > > my $sql = "select * from tablename where x = '$value'"; > > > > In this case, the SQL would be > > > > select * from tablesname where x = '\'; drop table tablename; --'; > > > > You don't normally use the quote method directly. You should be using > > placeholders in your sql: > > > > my $sth = $dbh->prepare("select * from tablename where x = ?"; > > $sth->execute(get_value_from_user()); > > > > That code uses the quote method for you. > > > > snip > > > fetchrow_arrayref< > > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchrow_arrayref> > > snip > > > > This fetches a row and returns it as an arrayref, so given a row with > > the values "a", "b", "c" the result would be > > > > my $row = ["a", "b", "c"]; > > > > If you want to know more about references see [perlreftut][1], > > [perlref][2], and [perldsc][3], or ask about them here. > > > > snip > > > fetchrow_array< > > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchrow_array> > > snip > > > > This fetches a row and returns it as an array, given the same row as > > above the result would be: > > > > my @row = ("a", "b", "c"); > > > > snip > > > fetchrow_hashref< > > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchrow_hashref> > > snip > > > > This fetches a row and returns it as a hashref. In this case we will > > need to know the names of the columns, so we will assume they are foo, > > bar, and baz: > > > > my $row = { > > foo => "a", > > bar => "b", > > baz => "c" > > }; > > > > snip > > > fetchall_arrayref< > > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchall_arrayref> > > > fetchall_hashref< > > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchall_hashref> > > snip > > > > These both fetch all rows and return them as either arrayrefs or > > hashrefs and returns those rows in an arrayref. So, given the rows > > ("a", "b", "c"), ("d", "e", "f"), ("g", "h", "i"), they would return: > > > > my $data = [ > > ["a", "b", "c"], > > ["d", "e", "f"], > > ["g", "h", "i"] > > ]; > > > > my $data = [ > > { foo => "a", bar => "b", baz => "c" }, > > { foo => "d", bar => "e", baz => "f" }, > > { foo => "g", bar => "h", baz => "i" } > > ]; > > > > [1] : http://perldoc.perl.org/perlreftut.html > > [2] : http://perldoc.perl.org/perlref.html > > [3] : http://perldoc.perl.org/perldsc.html > > > > -- > > Chas. Owens > > wonkden.net > > The most important skill a programmer can have is the ability to read. > > -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/