Re: Re: mod_perl was hosed by a bind variable

in reply to Re: mod_perl was hosed by a bind variable
in thread mod_perl was hosed by a bind variable

Actually not true, check out what the DBI docs say about such SQL injection attacks:

(In the "General Interface Rules & Caveats" section on this page)

Multiple SQL statements may not be combined in a single statement handle ($sth), although some databases and drivers do support this (notably Sybase and SQL Server).

Although this is by no means a reason not to validate your strings before dumping them into a DB.

-stvn

Comment on Re: Re: mod_perl was hosed by a bind variable

Replies are listed 'Best First'.
Re: Re: Re: mod_perl was hosed by a bind variable by tilly (Archbishop) on Jan 30, 2004 at 01:39 UTC
You have to work harder (for instance put the nasty stuff in a correlated subquery), but MadHatter's point is still fundamentally true. An SQL injection attack can be used to truly devastating effect through well-known techniques that people can easily Google for if they want.	[reply]

In Section Seekers of Perl Wisdom