Re: Escaping %params

Rather than escape values yourself, using SQL placeholders lets your database driver escape the values for you. It's a lot easier and safer. If you were to post some example database code, someone would surely show you how to use placeholders instead.

Improve your skills with Modern Perl: the free book.

Comment on Re: Escaping %params

Replies are listed 'Best First'.
Re^2: Escaping %params by DaisyLou (Sexton) on Jan 20, 2014 at 22:14 UTC
You are right, and in the long-run, that's what will probably be done, but that's a lot of work and testing. This is to "get us by" in the meantime.	[reply]
Re^3: Escaping %params by ruzam (Curate) on Jan 20, 2014 at 23:56 UTC
Not to sound like a grumpy old man, but "gets us by" is exactly how insecure systems are created and forgotten. If your goal as stated is to 'prevent SQL injection' then there is only one answer: use place holders.	[reply]