As it stands, you have a major SQL injection vulnerability; consider a name
such as
O'or 1=1
This will modify your SQL so that many rows match. Putting the string into a
call to UPPER changes what is required to break in, but gives no real extra
protection.
Using placeholders is crucial.
Sent from my BlackBerry® smartphone, powered by CREDO Mobile.
-----Original Message-----
From: "Larry W. Virden" <lvir...@gmail.com>
Date: Mon, 3 May 2010 11:30:28
To: <dbi-users@perl.org>
Subject: Trying to safely compare user input name against database
I've a case where a function is called with a string provided by a
user, and some legacy code then puts that string into a select
statement for dbi. The code currently reads:
my ($query) = $dbconn->prepare(
"Select * from my_table where last_name LIKE
'$SearchName'");
$query->execute() or return \...@retval; #problem return empty array
Now, one of the issues that comes up is the situation where the user's
string doesn't match the case of the name in the table.
For instance, if they pass a "McDonnel" as the string, but in the
table, it is "Mcdonnel", of course there is no match.
So, I was thinking of modifying this to read
my ($query) = $dbconn->prepare(
"Select * from my_table where UPPER(last_name) LIKE
UPPER('$SearchName')");
Are there any gotchas in going this route? Is there a better way of
doing this?
