> $db = $self->param('db') ;
> $self->param('db' => $db) ;
>
> and have setup() use this parameter:
> if ( defined($db = $self->param('db')) ) {
> $dbh = DBI->connect("DBI:mysql:database=$db;host=localhost",
Bad idea from a security standpoint. Always sanity check user input.
What if the user set a 'db' param for a machine you didn't want him to
connect to?
If you are going to go this route, try having a predefined list of
databases in a hash, and selecting based on key:
(in setup())
$self->param('DBList',{
Local => 'local.db.box.com',
Other => 'other.db.box.com',
Backup => 'backup.db.box.com',
});
$q = $self->query();
$self->param('db', $self->param('DBList')->{$q->param('db')});
if($self->param('db')){
....
> So the question is, Is this a reasonable approach? Are there alternatives
> that I should consider?
It looks reasonable to me. The question I'd have is if you are having any
session security on these. If this isn't open to all of your users, you
should probably save your session somehow to make sure a malicious user
doesn't tinker. If it is open, this is fine.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
