Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: DBI do() SQL injection

by ikegami (Patriarch)
on Oct 20, 2023 at 16:12 UTC ( [id://11155113] : note . print w/replies, xml ) Need Help??


in reply to DBI do() SQL injection

Everything that expects a string to be in a certain format is "susceptible to injection", since an injection bug is simply another term for incorrectly constructing a string.

Since do expects SQL, it is susceptible to being provided incorrectly-built SQL, or susceptible to injection bugs as you put it.

(Same goes for eval EXPR, qr//, decode_json, printf, etc)

Example of a bug:

my $sql = qq{ insert into customers ( id, name ) values ( '$id', '$name' ) -- XXX BUG }; $dbh->do( $sql );

We can fix the bug by properly building the SQL statement.

my $id_sql = $dbh->quote( $id ); my $name_sql = $dbh->quote( $name ); my $sql = qq{ insert into customers ( id, name ) values ( $id_sql, $name_sql ) }; $dbh->do( $sql );

It's simpler using placeholders.

my $sql = qq{ insert into customers ( id, name ) values ( ?, ? ) }; $dbh->do( $sql, undef, $id, $name );