Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite


The stupid question is the question not asked
	PerlMonks

Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

by sundialsvc4 (Abbot)

on Jan 10, 2008 at 03:06 UTC ( [id://661545]=note: print w/replies, xml )

Need Help??

in reply to Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

Here are my thoughts...

You should not rely upon what a particular DBI-implementation actually does with “a parameterized query.”
Nevertheless... you should know your own business. You should know what parameters you are expecting, and for each one you should know (a) that the value is “a scalar” and (b) what regular-expression pattern it should match.

Both of these considerations will be “specific to your application,” and therefore you should bear the first level of responsibility for ensuring conformance to them.

Comment on Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://661545]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others avoiding work at the Monastery: (6)

As of 2024-04-16 11:55 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found