In fact, I tried it with two different database drivers. Interestingly, in DBD::SQLite, the table wasn't removed, as it doesn't support multiple statements at a time. On the other hand, DBD::Pg happily removed the table and crashed when I tried using it later.
#!/usr/bin/perl use warnings; use strict; use feature qw{ say }; use experimental qw{ signatures }; use DBI; sub run_do($dbh, $id, $name) { $dbh->do(qq{ INSERT INTO customers (id,name) VALUES('$id','$name')}); } sub run_select($dbh) { my $sth = $dbh->prepare('SELECT * FROM customers'); $sth->execute; while (my @row = $sth->fetchrow_array) { say "@row"; } } my %connection = ('dbi:SQLite:dbname=:memory:' => ["", ""], "dbi:Pg:dbname=$ENV{USER}" => [$ENV{USER}, ""]); for my $dbcs (keys %connection) { my $dbh = 'DBI'->connect($dbcs, @{ $connection{$dbcs} }); $dbh->do('CREATE TABLE customers (id INTEGER, name TEXT)'); run_do($dbh, 1, 'John'); run_select($dbh); my $id = q{42', 'Batman'); DROP TABLE customers; -- }; run_do($dbh, $id, 'Joe'); run_select($dbh); }
The output:
1 John 1 John 42 Batman 1 John DBD::Pg::st execute failed: ERROR: relation "customers" does not exis +t LINE 1: SELECT * FROM customers ^ at ./1.pl line 18. DBD::Pg::st fetchrow_array failed: no statement executing at ./1.pl li +ne 19.
You can always fix that by wrapping the value into a quote:
$dbh->do(join "", 'INSERT INTO customers(id,name) VALUES(', $dbh->quote($id), ', ', $dbh->quote($name), ')');
In reply to Re^5: DBI do() SQL injection
by choroba
in thread DBI do() SQL injection
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |