Date: 2008jan11
Keywords: mysql, postgresql
Language: perl
Q. How do I prevent SQL injection attacks when using Perl's DBI
A. Use the quote() method. Like this:
use DB;
use strict;
sub unsafe($$)
{
my($dbh, $name) = @_;
my($sql, $sth);
$sql = qq(SELECT * FROM customers WHERE name = '$name');
$sth = $dbh->prepare($sql);
# ...
}
sub safe($$)
{
my($dbh, $name) = @_;
my($sql, $sth);
$name = $dbh->quote($name); # Safely add quotes
$sql = qq(SELECT * FROM customers WHERE name = $name);
$sth = $dbh->prepare($sql);
# ...
}
Besides preventing an injection attack it, more mundanely,
permits single quotes in strings. Eg name = O'Hara.
Related
http://www.davekb.com/search.php?target=perl+DBI
http://www.davekb.com/search.php?target=mysql
Add a comment
Sign in to add a comment