my $sth = $dbh->prepare("SELECT * FROM customers WHERE name = '$name'"
+);
$sth->execute();

# so what happens if:
$name = "O'Deary";
SELECT * FROM customers WHERE name = 'O'Deary'

# or even
$name = "Just another' or name = name or name = 'Perl hacker,"
SELECT * FROM customers WHERE name = 'Just another' or name = name or 
+name = 'Perl hacker,"

[download]

Sure so you should use ? place holders. With fatalsToBrowser active a *creative* user will probably get an informative error after submitting the first name. Then such a user might get the entire customer database. Thanks for coming....

Security is all about hurdles, depth and vigilence. You need to accept that nothing can ever be 100% secure. You attempt to make it more trouble than it is worth to breach your security. Just as you would be unwise to publish the wiring diagram for your alarm system so to you are unwise to (widely) advertise your source code. Of course code reviews like those offered by merlyn are a good idea (if you trust him ;-)

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

In reply to Re: Re: Re: Does fatalsToBrowser give too much information to a cracker? by tachyon
in thread Does fatalsToBrowser give too much information to a cracker? by rinceWind

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.