On Thu, 2009-08-27 at 10:38 +0200, Raheel Hassan wrote:
> *About quote():*
> Many thanks for your reply, But what is the difference in;
> select * from tablesname where x = ''; drop table tablename; --';
> and
> select * from tablesname where x = '\'; drop table tablename; --';
> both the statements seems to be SQL injection attack. What is thet role
> that quote played??
>
>
> Regards,
> Raheel.
>
>
No, they're not the same. In the first statement, x is given an empty
value (''), followed by a new command. In the second select statement x
is given the string:
\'; drop table tablename; --
The leading \ tells the database server that the following ' is not
special, ie, not the closing quote or end of the value string. Instead
it treats it as just a regular part of the string, such that the value
passed becomes:
'; drop table tablename; --
It's unlikely you'll have such a string stored in field x ;-)
HTH
Tim Bowden
BTW, please don't top post. It ruins the flow of the conversation.
>
>
> On Wed, Aug 26, 2009 at 4:37 PM, Chas. Owens <chas.ow...@gmail.com> wrote:
>
> > On Wed, Aug 26, 2009 at 06:20, Raheel Hassan<raheel.has...@gmail.com>
> > wrote:
> > > In CPAN documentation of DBI, i have problems in understanding the use, i
> > > read the given text many times but it is not explained in detail, can any
> > > one suggest me some other sites where i can get details and clear
> > > expalnation of the under given functions. Also are there any other sites
> > for
> > > understanding CPAN modules if one could not get exactly what is expalined
> > at
> > > CPAN.
> > >
> > > $dbh->quote($Value)
> > snip
> >
> > This escapes characters the database considers special such as '.
> > Consider this code:
> >
> > my $value = get_value_from_user();
> > my $sql = "select * from tablename where x = '$value'";
> >
> > That code is very bad. If the user passes in the string "'; drop
> > table tablename; --" then the resulting SQL will be
> >
> > select * from tablesname where x = ''; drop table tablename; --';
> >
> > this is called an SQL injection attack. The quote method helps
> > prevent this sort of thing:
> >
> > my $value = $dbh->quote(get_value_from_user());
> > my $sql = "select * from tablename where x = '$value'";
> >
> > In this case, the SQL would be
> >
> > select * from tablesname where x = '\'; drop table tablename; --';
> >
> > You don't normally use the quote method directly. You should be using
> > placeholders in your sql:
> >
> > my $sth = $dbh->prepare("select * from tablename where x = ?";
> > $sth->execute(get_value_from_user());
> >
> > That code uses the quote method for you.
> >
> > snip
> > > fetchrow_arrayref<
> > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchrow_arrayref>
> > snip
> >
> > This fetches a row and returns it as an arrayref, so given a row with
> > the values "a", "b", "c" the result would be
> >
> > my $row = ["a", "b", "c"];
> >
> > If you want to know more about references see [perlreftut][1],
> > [perlref][2], and [perldsc][3], or ask about them here.
> >
> > snip
> > > fetchrow_array<
> > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchrow_array>
> > snip
> >
> > This fetches a row and returns it as an array, given the same row as
> > above the result would be:
> >
> > my @row = ("a", "b", "c");
> >
> > snip
> > > fetchrow_hashref<
> > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchrow_hashref>
> > snip
> >
> > This fetches a row and returns it as a hashref. In this case we will
> > need to know the names of the columns, so we will assume they are foo,
> > bar, and baz:
> >
> > my $row = {
> > foo => "a",
> > bar => "b",
> > baz => "c"
> > };
> >
> > snip
> > > fetchall_arrayref<
> > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchall_arrayref>
> > > fetchall_hashref<
> > http://search.cpan.org/%7Etimb/DBI-1.609/DBI.pm#fetchall_hashref>
> > snip
> >
> > These both fetch all rows and return them as either arrayrefs or
> > hashrefs and returns those rows in an arrayref. So, given the rows
> > ("a", "b", "c"), ("d", "e", "f"), ("g", "h", "i"), they would return:
> >
> > my $data = [
> > ["a", "b", "c"],
> > ["d", "e", "f"],
> > ["g", "h", "i"]
> > ];
> >
> > my $data = [
> > { foo => "a", bar => "b", baz => "c" },
> > { foo => "d", bar => "e", baz => "f" },
> > { foo => "g", bar => "h", baz => "i" }
> > ];
> >
> > [1] : http://perldoc.perl.org/perlreftut.html
> > [2] : http://perldoc.perl.org/perlref.html
> > [3] : http://perldoc.perl.org/perldsc.html
> >
> > --
> > Chas. Owens
> > wonkden.net
> > The most important skill a programmer can have is the ability to read.
> >
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
