my $username = $query->('username');
# Do some input validation if necessary
# DBI code
my $sql = "SELECT * FROM users WHERE username = ?";
...
$sth->execute($username);
(Note: There are other ways of specifying values for placeholders and binding values, as it is referred to in the DBI documentation.)
If a mailicious user were to pass in PotPieMan; DROP TABLE users for the username, the DBI module would parse this as the following:
SELECT * FROM users WHERE username = 'PotPieMan; DROP TABLE users';
and (most likely) return 0 rows. The point is that you, the programmer, have to worry A LOT LESS about getting every posssible case of SQL exploitation covered.
--PotPieMan |