Re: malformed sql queries

[Patrik Birgersson <pbirgersson () telia com>]

On Sat, 29 Dec 2001 20:59:51 -0300
"Gabriel A. Maggiotti" <gmaggiot () ciudad com ar> shouted:

> A common query:

> (1) SELECT * from table WHERE id=$id

> where $id is a variable that the web progammer use to perform
the query. 
> This implies that the variable is potentially revalueable (if
is not checked
> before using it).

I may be out of line here, and I've read the replies about
filtering input.
However, using Perl CGI + DBD/DBI, Apache and MySQL I writes my
DB queries like this:

$sth = $dbh->prepare ("SELECT * FROM table WHERE param = ?");
$sth->execute ($param)

This (as I understand) prevents SQL injection into the query
since I don't have the variables directly in the query, but
supply them upon query execution.

If I'm all wrong here, please let the flames begin....



Patrik Birgersson


"No man is good enough to govern another man without that
other's consent."
 - Abraham Lincoln (1809 - 1865)