Hi,
On Jan 29, 2008 7:00 AM, Yona Shlomo <[EMAIL PROTECTED]> wrote: > On Mon, 28 Jan 2008, Georges EL OJAIMI wrote: > > > Hello, > > > > Yona Shlomo wrote: > >> How does the following help prevent HTML characters and SQL > >> injection into the database? > > Can you answer this question? How does this transformation > of yours help prevent SQL injections? Personally I'm removing chars that I do not expect to have, so if I expect a number value, I do something like this: s/[^0-9]//g Now chars that might effect HTML/SQL are escaped when I use them on HTML/SQL (not before, because it might change the content that I wish to check, like %20 for spaces [in URI] etc). On SQL, I also use binding (if possible I recommend name binding rather then anonymous binding). I usually create some sort of tools that does all of this for me, so I will not have to write a lot of code for each work I require, and you might even want to create a module such as Sanitize::HTML and Sanitize::SQL that will be able to work well. For HTML I recommend the cgi module, it has great escaping features. Ido -- http://ik.homelinux.org/ _______________________________________________ Perl mailing list [email protected] http://perl.org.il/mailman/listinfo/perl
