You have a potential for a whopping security hole here, depending on how this is used. With MySQL (unless this has changed recently) you can't execute multiple SQL statements with one query, so this hole doesn't apply, but I bring it up in case you need to port this code or some else tries to use it.
What happens if someone passes an $id with the following value:
$id = q|3';DROP TABLE people;SELECT * FROM people WHERE id = '3|;
Needless to say, that's going to ruin your day with many databases (the excess SQL is simply to ensure that this query parses correctly). The solution is to quote the $id or to use placeholders:
sub SelectProfile { my ( $id, $dbh ) = @_; $id = $dbh->quote( $id ); my $selectquery = "SELECT * FROM people WHERE id = $id"; my $sth= $dbh->prepare($selectquery); $sth->execute(); my $rowdata=$sth->fetchrow_hashref; return $rowdata; }
A couple of other things. One, why do you disconnect the database handle in this subroutine? That means someone trying to reuse this sub is in for a rude shock. This should be handled elsewhere.
The other issue is the "SELECT *...". This is usually bad practice. See (Ovid: Death to Select Star!) Re: MySQL DBI Help for details.
Cheers,
Ovid
Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.
In reply to (Ovid - potential security concern) Re: Passing database handles
by Ovid
in thread Passing database handles
by hakkr
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |