Re: Storing a variable in a file and processing within the script

Where is this text file generated? If its contents are affected in any way by user input, you open yourself up to SQL injection attacks. Please be careful.

That issue addressed, I don't know where this executeSQL() sub comes from, but if you were using DBI, my advice would be to use a placeholder in the query:

$sth = $dbh->prepare('SELECT * 
                      FROM   all_tables 
                      WHERE  table_name = ?');

$sth->execute($table_name);

while (@row = $sth->fetchrow_array) {
    print "@row\n";
}
[download]

If you can't use DBI, then a simple substitution will work in a pinch:

my $sql = <$filecontent>;

$sql =~ s/\$table_name/$table_name/e;
[download]

In this case, however, you now have to also ensure that $table_name is also safe from SQL injection, if it can be influenced by user input.

Comment on Re: Storing a variable in a file and processing within the script Select or Download Code

Replies are listed 'Best First'.
Re^2: Storing a variable in a file and processing within the script by Corion (Patriarch) on Jul 17, 2013 at 15:29 UTC
Note that a placeholder in SQL is usually only allowed where the query engine can still create a full query plan and compile+check the query with it. This usually precludes the use of placeholders for column, table or schema names, as the validity of the query cannot be checked when the value for the placeholder is only known at a later stage.	[reply]
Re^3: Storing a variable in a file and processing within the script by rjt (Curate) on Jul 17, 2013 at 15:38 UTC
It's fine in this case, since the placeholder is for a column value. Even though the `$table_name` is the thing in question, he apparently has a table full of table names to query against. Good reminder, though.	[reply] [d/l]