in reply to Re^2: Writing NULL values to a MySQL record via DBI
in thread Writing NULL values to a MySQL record via DBI

It’s been recommended but perhaps not forcefully enough. SQL work without placeholders is tragically, criminally insecure. I know just getting things working is sometimes a necessary first step but placeholders are not something to file under, Hmmm, interesting, but, Say, I could destroy my company with one line of this code.

See also: Exploits of a mom and bobby-tables.com.

  • Comment on Re^3: Writing NULL values to a MySQL record via DBI

Replies are listed 'Best First'.
Re^4: Writing NULL values to a MySQL record via DBI
by ureco (Acolyte) on Feb 26, 2015 at 22:54 UTC
    Definitely looking at placeholders now :o) Thankfully this code is executing firmly behind closed doors and not on a public server - but I understand this appears to be a much better and secure way do perform database access tasks. But more reading to be done... every day is a school day :o) Thanks
[reply]

      Although it is behind closed doors today, there's no telling what will be tomorrow. It also helps by mostly forcing type definition of the parameters. Further, by preparing the statement, it make it more efficient when running it multiple times.

      It's really easy to do. Just use placeholders, define them with the appropriate statements, and pass them when executing the query.

[reply]

In Section Seekers of Perl Wisdom