| From: | merlyn(at)stonehenge(dot)com (Randal L(dot) Schwartz) |
|---|---|
| To: | "Henrik Steffen" <steffen(at)city-map(dot)de> |
| Cc: | "Jan Wieck" <JanWieck(at)Yahoo(dot)com>, "pgsql" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: update phenomenom |
| Date: | 2003-06-09 17:52:08 |
| Message-ID: | 86wufvqgtz.fsf@red.stonehenge.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
>>>>> "Henrik" == Henrik Steffen <steffen(at)city-map(dot)de> writes:
Henrik> yes, input is coming from a web form.
Henrik> my SQL() function uses DBD::Pg in Perl
Henrik> and it does the following:
Henrik> sub SQL {
Henrik> my $command=shift;
Henrik> ...
Henrik> $sth=$db->prepare($command);
Henrik> $sth->execute();
Henrik> ...
Henrik> }
Which is not the way to do it if there are any values. You should
be using placeholders, which properly escape the data so the calamity
and security whole you described would never have happened.
my $sth = $dbh->prepare("UPDATE atable SET col1 = ? WHERE col2 = ?");
$dbh->execute($col1_value, $col2_value);
That's the Right Way.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn(at)stonehenge(dot)com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Arguile | 2003-06-09 17:59:54 | Re: update phenomenom |
| Previous Message | Carlos | 2003-06-09 17:50:34 | FW: Retrieving the server time and date -- java?? |