Vulnerability Development mailing list archives
Re: malformed sql queries
From: Stefan Tomlik <stefan () tomlik de>
Date: 01 Jan 2002 19:47:21 +0100
On Tue, 2002-01-01 at 00:55, Patrik Birgersson wrote:
I may be out of line here, and I've read the replies about filtering input. However, using Perl CGI + DBD/DBI, Apache and MySQL I writes my DB queries like this: $sth = $dbh->prepare ("SELECT * FROM table WHERE param = ?"); $sth->execute ($param)
Yes, you *can* do it that way. However, you will find very often something like this: my $q = new CGI; my $x = $q->param("another_param"); my $sth = $dbh->prepare("SELECT col FROM table WHERE ref = '$x'"); $sth->execute; Even the quoting of $x will not help in you case something starts to write URL's the manual way.
This (as I understand) prevents SQL injection into the query since I don't have the variables directly in the query, but supply them upon query execution.
Yes, what happens is that all parameter supplied to $handler->execute() will be treated with $dbh->quote() prior to using them.
Current thread:
- Re: malformed sql queries Patrik Birgersson (Dec 31)
- Re: malformed sql queries Stefan Tomlik (Jan 01)