Re: malformed sql queries

[Stefan Tomlik <stefan () tomlik de>]

On Tue, 2002-01-01 at 00:55, Patrik Birgersson wrote:
> I may be out of line here, and I've read the replies about
> filtering input.
> However, using Perl CGI + DBD/DBI, Apache and MySQL I writes my
> DB queries like this:
>
> $sth = $dbh->prepare ("SELECT * FROM table WHERE param = ?");
> $sth->execute ($param)

Yes, you *can* do it that way. However, you will find very often
something like this:

my $q = new CGI;
my $x = $q->param("another_param");
my $sth = $dbh->prepare("SELECT col FROM table WHERE ref = '$x'");
$sth->execute;

Even the quoting of $x will not help in you case something starts
to write URL's the manual way.

> This (as I understand) prevents SQL injection into the query
> since I don't have the variables directly in the query, but
> supply them upon query execution.

Yes, what happens is that all parameter supplied to $handler->execute()
will be treated with $dbh->quote() prior to using them.