in reply to Re: passing parameters
in thread passing parameters

I feel a bit stupid now, I have been staring at this for ages! Thank you very much!!!

Replies are listed 'Best First'.
Re3: passing parameters
by dragonchild (Archbishop) on Jul 21, 2003 at 13:49 UTC
    I didn't even look at this, but Corion is right to mention it - your SQL is constructed very poorly. Instead, it should be: 
    my $sql = "SELECT pass FROM password WHERE username = ?";
my $sth = $dbh->prepare_cached($sql) || die "Cannot prepare '$sql'\n";
$sth->execute($username) || die "Cannot execute '$sql' with '$username
+'\n";

    [download]
    The reason being that it will help protect versus attacks. For example, let's say $username is q{'; delete from password where username != 'NOT THERE''}. You'll lose all your password table entries.

    ------
    We are the carpenters and bricklayers of the Information Age.

    Don't go borrowing trouble. For programmers, this means Worry only about what you need to implement.

    Please remember that I'm crufty and crochety. All opinions are purely mine and all code is untested, unless otherwise specified.

[reply]
[d/l]
[select]

      Or even more simply, q{' or '1' = '1} which means that it is always true and the person can login without knowing any passwords.

[reply]
[d/l]

In Section Seekers of Perl Wisdom