in reply to DBI prepare() vs do() usage

In this example, method 1, for one reason. Suppose the following assignment is made to $nick: 
$nick = "'something'; DELETE FROM existingtablename";

[download]
and execute using method 2.

Always make sure that the values you insert are quoted properly. Method 2 doesn't ensure that and therefore creates an SQL injection vulnerability.

Of course, if you can be sure that $nick contains what you expect, you can always directly quote the value in the SQL expression, or use the $dbh->quote() method.

Liz

Replies are listed 'Best First'.
Re: Re: DBI prepare() vs do() usage
by stvn (Monsignor) on Dec 21, 2003 at 15:00 UTC
    Liz,

    Actually I was concerned about this exact issue recently after reading an article on SQL injection tricks. I did some research and found that DBI (by default) does not support multiple SQL statements in a single statement. This can be overridden by the DBI driver though. Here is a quote from the DBI documentation:

    (In the "General Interface Rules & Caveats" section on this page)
    Multiple SQL statements may not be combined in a single statement handle ($sth), although some databases and drivers do support this (notably Sybase and SQL Server).

    Of course this is not excuse for not being a good paranoid programmer, but its nice to know anyway.

    -stvn
[reply]

In Section Seekers of Perl Wisdom