Re^3: SQL Injection myths under DBI?

could we not just delete the single quote(s) and other "bad" characters?

$input =~ s/\'|\"|\@//g;
[download]

Comment on Re^3: SQL Injection myths under DBI? Download Code

Replies are listed 'Best First'.
Re^4: SQL Injection myths under DBI? by afoken (Chancellor) on Mar 13, 2017 at 18:26 UTC
could we not just delete the single quote(s) and other "bad" characters? No. Just no. Use DBI properly, i.e. use prepared statement with placeholders, and if you have to pass identifiers from doubious sources (i.e. outside your code, like user or network), quote them using quote_identifier(). DBI automatically handles all quoting issues for values when using placeholders. And quote_identifier() handles the little remaining bit, identifiers. All of this completely independant from the database actually used. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply]

Replies are listed 'Best First'.

Re^4: SQL Injection myths under DBI?
by afoken (Chancellor) on Mar 13, 2017 at 18:26 UTC

could we not just delete the single quote(s) and other "bad" characters?

No. Just no.

Use DBI properly, i.e. use prepared statement with placeholders, and if you have to pass identifiers from doubious sources (i.e. outside your code, like user or network), quote them using quote_identifier().

DBI automatically handles all quoting issues for values when using placeholders. And quote_identifier() handles the little remaining bit, identifiers. All of this completely independant from the database actually used.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

[reply]