[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Omaha.pm] SQL Attack exception
On Fri, Jul 29, 2005 at 03:41:48PM -0500, Kenneth Thompson (kthompson@omnihotels.com) wrote:
> foreach my $param ($q->param()) {
> # Strip out all wacky characters to prevent SQL injections
> #
> next ($IgnoreParms{$param}); #ignored - bail now
> my $value = $q->param($param); #Not ignored.. clean me up Scotty
> $value =~ s/[`;'"\\]//g;
> $q->delete($param);
Please don't do this. Please use bind variables.
my $sth = $dbh->prepare( "select * from users where foo=? and bar=?" );
$sth->execute( $foo, $bar );
The $foo matches up to the first ?, and $bar to the second. Then it
doesn't matter WHAT you pass in as $foo or $bar because it's not
interpolated into the SQL, and cannot possibly be executed.
--
Andy Lester => andy@petdance.com => www.petdance.com => AIM:petdance