Re: Re: Re: Preferred Way of Scrubbing User Input Before DB Write

Class::DBI does use placeholders. Changing to a Perl-based DAL that doesn't use placeholders would be really, really stupid. DBI always supports placeholders (even if the underlieing database doesn't), and the additional security and caching support they provide make it reckless to not use them. If there is no DAL, then it's up to you to use placeholders.

I'm not saying to ignore input checking (I always do it even when I know placeholders will be there), but to put the problem in perspective.

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

: () { :|:& };:

Note: All code is untested, unless otherwise stated

Comment on Re: Re: Re: Preferred Way of Scrubbing User Input Before DB Write Download Code

Replies are listed 'Best First'.
Re: Re: Re: Re: Preferred Way of Scrubbing User Input Before DB Write by mpeppler (Vicar) on Feb 03, 2004 at 00:00 UTC
DBI always supports placeholders (even if the underlieing database doesn't) While this is mostly the case there are exceptions. One that is fairly significant given the number of people using MS-SQL is DBD::Sybase with FreeTDS, which does NOT support placeholders at the moment, because of a lack of support for placeholders in FreeTDS's version of the Client Library API (which is what DBD::Sybase uses.) Other systems or combination of front-ends and database engines may have similar problems. Michael	[reply]

Replies are listed 'Best First'.

Re: Re: Re: Re: Preferred Way of Scrubbing User Input Before DB Write
by mpeppler (Vicar) on Feb 03, 2004 at 00:00 UTC

DBI always supports placeholders (even if the underlieing database doesn't)

Other systems or combination of front-ends and database engines may have similar problems.

Michael

[reply]