Hmm the DBI police??
Would be nice to have a DBD report back that the 'SQL' that you entered
is whacked and will take forever to run do not blame 'Perl' for poor
performance.
Sounds like a good idea but at what point do you draw the line.
I guess what you can catch are SQL injection situations but do you
really want to catch code like this
$dbh->do('select * from v$session where 0=1');
which is not inline scripted but looks like it??
Anyway I have a good name for it
DBI-Nanny
cheers
John Scoles
Gabor Szabo wrote:
Hi,
I have just noticed a web application I am using has embedded values
in SQL statements
instead of placeholders and it does not check the input from the user
which causes a nice
error message (including the whole SQL statement) being part of the
response page.
I reported to the site owner but I wonder how could they fix their code?
The can go over manually the whole code but it is time consuming and
error prone:
They might miss one of the statements.
I wonder if there is a way in DBI to report such usage or to even
disallow such usage
(e.g. throw an error if that is used).
I wonder if there is a tool - a plugin to Perl::Critic maybe - that
would check the
source code and report such issues?
regards
Gabor
