[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Omaha.pm] SQL Attack exception



On Fri, Jul 29, 2005 at 03:41:48PM -0500, Kenneth Thompson (kthompson@omnihotels.com) wrote:
>   foreach my $param ($q->param()) {
>      # Strip out all wacky characters to prevent SQL injections
>      #
>      next ($IgnoreParms{$param}); #ignored - bail now
>      my $value = $q->param($param); #Not ignored.. clean me up Scotty
>      $value =~ s/[`;'"\\]//g;
>      $q->delete($param);	  

Please don't do this.  Please use bind variables.

my $sth = $dbh->prepare( "select * from users where foo=? and bar=?" );
$sth->execute( $foo, $bar );

The $foo matches up to the first ?, and $bar to the second.  Then it
doesn't matter WHAT you pass in as $foo or $bar because it's not
interpolated into the SQL, and cannot possibly be executed.

-- 
Andy Lester => andy@petdance.com => www.petdance.com => AIM:petdance