Thanks mr William...
I'll give that a shot..
rgds
Frank
-Original Message-
From: William McKee [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 18 December 2002 7:33 AM
To: Franki
Cc: [EMAIL PROTECTED]
Subject: Re: [cgiapp] cgiapp_prerun
On 18 Dec 2002 at 6:10, Franki wrote:
Then it
Nope, it didn't work...
doesn't matter, though, I can stress about that some other time.
Right now I have another small question..
I have this code:
my $user_ID = $form_parameters-param('username');
my $pass_word = $form_parameters-param('password');
# Send them
A little bit of an optimization and security check - if all you are doing
is comparing if the username and password match, why not let SQL do it?
my $query = SELECT count(*) FROM user WHERE USER_ID = ? and
USER_PASSWORD = ?;
my $sth = $dbh-prepare($query);
$sth-execute($user_ID,
Cool,
Thanks for the tip.. I guess its obvious I'm still learning DBI/SQL as well
huh???
I would really appreciate everyone picking my code apart at any given
opportunity and telling me what I could be doing better.
Its the best way to learn I think...
One small question.. should i be using
Do a Google search for SQL Injection. You will get some interesting
results. http://www.sqlsecurity.com/faq-inj.asp actually uses an example
very similar to yours. If you use the ? placeholders, and pass
parameters to the execute method, DBI takes care of the quoting for you,
and makes you life
On Thu, 19 Dec 2002 05:03:56 +0800, Franki wrote:
Hi again folks.
Hi Fanki
Since there is such a wealth of knowledge here, I thought I'd ask
for some
advice..
Another way to clean data is to scrub every byte from your users'
submissions (tab = 4 spaces sorry about the wrap):
sub
A little bit of an optimization and security check - if all you are
doing
is comparing if the username and password match, why not let SQL do it?
my $query = SELECT count(*) FROM user WHERE USER_ID = ? and
USER_PASSWORD = ?;
my $sth = $dbh-prepare($query);