| From: | "Ville Jungman" <ville_jungman(at)hotmail(dot)com> |
|---|---|
| To: | antti(dot)haapala(at)iki(dot)fi |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: perl and postgresql |
| Date: | 2003-03-18 12:05:33 |
| Message-ID: | F25QG7UJ9Aus3Xzbofv0002ec16@hotmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
>The point is that he and you need to use placeholders to avoid sql
>injection. Just consider example below: what if variable prod is set to
>$prod = '10; DROP DATABASE x'
Doesn't work if $prod is checked elsewhere.
It's easier if you can call sql-commands just in the same way that you do
with sql-prompt. For example
@result=$self->kanta("select $a from table where name='$prod'");
is much simpler than same query with placeholders. That's why I like to do
it with sub like this.
>You should also look into DBI/DBD, as it seems to be the de facto way of
>doing database things in Perl today.
I'm familiar to that module. The use of these two modules are very similar
so it's easy to change my sub to use DBD if I need to do it someday. But,
good to know it's more standard way.
> > >From: douggorley(at)shaw(dot)ca
> > >
> > >----- Original Message -----
> > >From: "Sugrue, Sean" <sean(dot)sugrue(at)analog(dot)com>
> > >
> > > >
> > > >
> > > > I am trying to execute the following query within perl
> > > >
> > > > #!/usr/local/bin/perl
> > > >
> > > > use DBI;
> > > >
> > > > $prod='stdf';
> > > >
> > > >
> > > > $dbh = DBI-
> > > >
> > >
> >connect("dbi:Pg:dbname=database;host=mink;port=0000","username","password");
> > > > $sth = $dbh->prepare("select * from filestatus where fileformat =
> > > > $prod");if( defined($sth)){
> > > >
> > > > $sth->execute;
> > > > #for when model numbers are available
> > > > while (@devices = $sth->fetchrow){
> > > > ($product,$spec_key)=(at)devices;
> > > > print"product = $product and speckey = $spec_key \n"; }
> > > > }
> > > >
> > > > i***************************************
> > > > it works if you put a literal value of 'stdf' for $prod
> > > > but it fails when I try to use a variable.
> > > >
> > > > Another point is if it were an integer the variable would work.
> > > >
> > > > Question: How can I get this to work. I've used q// qw// qq// qx//
> > > >
> > > > Sean
> > > >
> > >
> > >Try using placeholders.
> > >
> > >$prod='stdf';
> > >$sth = $dbh->prepare("select * from filestatus where fileformat = ?");
> > >$sth->execute( $prod );
> > >
> > >Doug Gorley | douggorley(at)shaw(dot)ca
>
>--
>Antti Haapala
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Antti Haapala | 2003-03-18 12:34:43 | Re: perl and postgresql |
| Previous Message | Antti Haapala | 2003-03-18 06:25:39 | Re: perl and postgresql |