Re: [htmltmpl] [Question] H::T and DBI => stuffing query info into 's

Mathew Robertson Wed, 14 Apr 2004 15:07:41 -0700

> >What has Perl's string interpolation got to do with DBI?
> >
> >"SELECT * FROM $working_tbl WHERE first='one' ORDER BY Location"
> >
> >The variable $working_tbl will be interpolated by Perl, long before DBI 
> >ever gets to see the SQL statement, due to the double-quote.
> 
> $working_tbl may come from some kind of user input, which opens you up to 
> SQL injection attacks.  Most databases don't allow placeholders for the 
> table name.  It's best to use DBI->quote() whenever you absolutely must 
> interpolate a variable into an SQL statement.


no - you should never take any kind of user input without doing input validation -> 
otherwsie you are asking for trouble.

Also, DBI->quote() will not help with the example written above, as Perl will 
interpolate the vairable into to string, due to the double-quotes.  You are correct 
that most databases wont use variable table names, but the syntax was not written like:

"SELECT * FROM ? WHERE ..."

Mathew


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Html-template-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/html-template-users

Re: [htmltmpl] [Question] H::T and DBI => stuffing query info into 's

Reply via email to