Hey,
2-parter here, both involving quote()...
(System: Apache 1.3.27, MySQL 3.23.55, Perl 5.8.0)
1) Does quote() not recognize hashes?
I had a line:
$emailq = $dbh->quote($in{'email'});
And through testing found it wasn't working. However:
$email = $in{'email'};
$emailq = $dbh->quote($email);
Also works:
$emailq = $dbh->quote("$in{'email'}");
Putting quotes around the hash.
Is there a reason why the first line doesn't work? Was quite surprised to
finally figure this out, since most quote() commands go around regular
string variables. It was working on those, so I had no clue it wouldn't
work correctly on a hash.
2) SQL Injection - I've read a few pages about this, and I'm going through
all my code to ensure this (and other security issues) are dealt with.
The pages I read that were specific to DBI all seemed to be very reliant on
quote() working correctly.
Is quote() really enough to deal with SQL injection though? I'm also:
a. ensuring numbers are actually numbers
b. checking input against maximum allowed lengths for that input
I plan to eventually release the script I'm writing under the GPL and making
it public. While I'm plenty experienced with handling general Perl security
issues, I'm still learning the issues involved with database access
security, particularly when it's being accessed on a public website.
So are there other general things I should be looking at besides the above?
Thanks,
Joe
--
Now Playing: Winger - Miles Away
[From In The Heart Of The Young (1990)] (3:35/4:11)
Powered by XMMS and SuSE Linux 8.2 Pro
