Re: cookies

OM_Zen points out the direct problem, but you have at least one more. By not using bind parameters when you prepare the query, you're opening yourself to the possibility of someone corrupting your query. A username of

    gotcha'; delete * from user
[download]

could really spoil your day. At the very least, you need to taint-check any input you're getting.

Comment on Re: cookies Download Code

Replies are listed 'Best First'.
Re: Re: cookies by perlguy (Deacon) on Mar 05, 2003 at 17:01 UTC
to expand a bit on what dws is trying to say, and to make your code safer, substiute this part of your code: `my $SQL = "SELECT username, password FROM user WHERE username = + '$username'"; my @row; @row = $dbh->selectrow_array($SQL);` [download] with the following: `my $sth = $dbh->prepare("SELECT username, password FROM user WHERE + username = ?"); $sth->execute($username); # execute substitutes $username in place of the question # mark above, correctly formatted, with all bad news # characters removed by the DBI my @row = $sth->fetchrow;` [download] Hope that helps.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: cookies
by perlguy (Deacon) on Mar 05, 2003 at 17:01 UTC

dws

my $SQL    = "SELECT username, password FROM user WHERE username =    
+ '$username'";
my @row;
@row = $dbh->selectrow_array($SQL);
[download]

my $sth = $dbh->prepare("SELECT username, password FROM user WHERE    
+  username = ?");

$sth->execute($username);
# execute substitutes $username in place of the question
# mark above, correctly formatted, with all bad news
# characters removed by the DBI

my @row = $sth->fetchrow;
[download]

[reply]
[d/l]
[select]