Skip site navigation (1) Skip section navigation (2)

Re: perl and postgresql

From: "Ville Jungman" <ville_jungman(at)hotmail(dot)com>
To: antti(dot)haapala(at)iki(dot)fi
Cc: pgsql-novice(at)postgresql(dot)org
Subject: Re: perl and postgresql
Date: 2003-03-18 12:05:33
Message-ID: F25QG7UJ9Aus3Xzbofv0002ec16@hotmail.com (view raw or flat)
Thread:
Lists: pgsql-novice
>The point is that he and you need to use placeholders to avoid sql
>injection. Just consider example below: what if variable prod is set to 
>$prod = '10; DROP DATABASE x'

Doesn't work if $prod is checked elsewhere.

It's easier if you can call sql-commands just in the same way that you do 
with sql-prompt. For example

@result=$self->kanta("select $a from table where name='$prod'");

is much simpler than same query with placeholders. That's why I like to do 
it with sub like this.

>You should also look into DBI/DBD, as it seems to be the de facto way of
>doing database things in Perl today.

I'm familiar to that module. The use of these two modules are very similar 
so it's easy to change my sub to use DBD if I need to do it someday. But, 
good to know it's more standard way.

> > >From: douggorley(at)shaw(dot)ca
> > >
> > >----- Original Message -----
> > >From: "Sugrue, Sean" <sean(dot)sugrue(at)analog(dot)com>
> > >
> > > >
> > > >
> > > > I am trying to execute the following query within perl
> > > >
> > > > #!/usr/local/bin/perl
> > > >
> > > > use DBI;
> > > >
> > > > $prod='stdf';
> > > >
> > > >
> > > > $dbh = DBI-
> > > >
> > > 
> >connect("dbi:Pg:dbname=database;host=mink;port=0000","username","password");
> > > > $sth = $dbh->prepare("select *  from filestatus where fileformat =
> > > > $prod");if( defined($sth)){
> > > >
> > > > $sth->execute;
> > > > #for when model numbers are available
> > > > while (@devices = $sth->fetchrow){
> > > > ($product,$spec_key)=(at)devices;
> > > > print"product = $product and speckey = $spec_key \n"; }
> > > > }
> > > >
> > > > i***************************************
> > > > it works if you put a literal value of 'stdf' for $prod
> > > > but it fails when I try to use a variable.
> > > >
> > > > Another point is if it were an integer the variable would work.
> > > >
> > > > Question: How can I get this to work. I've used q// qw// qq// qx//
> > > >
> > > > Sean
> > > >
> > >
> > >Try using placeholders.
> > >
> > >$prod='stdf';
> > >$sth = $dbh->prepare("select *  from filestatus where fileformat = ?");
> > >$sth->execute( $prod );
> > >
> > >Doug Gorley | douggorley(at)shaw(dot)ca
>
>--
>Antti Haapala


_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus


Responses

pgsql-novice by date

Next:From: Antti HaapalaDate: 2003-03-18 12:34:43
Subject: Re: perl and postgresql
Previous:From: Antti HaapalaDate: 2003-03-18 06:25:39
Subject: Re: perl and postgresql

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group