Re: CGI (in)security

Am I doing the right things?

Concerning SQL injection there was a discussion recently: Format to save and display.
I think (and hope to be proven right) that you don't need to mutilate the English words that are SQL keywords if you are careful about semicolons and quote characters.

Use DBI's quote() method/function to escape your data.

Cheers, Sören

Comment on Re: CGI (in)security

Replies are listed 'Best First'.
Re^2: CGI (in)security by amw1 (Friar) on Jun 15, 2004 at 13:36 UTC
DBI will do the quoting for you automatically if you use the bind params format. Something like untested and no error checking `$sql = "select name from customer_table where customer_id = ?"; $sth = $dbh->prepare($sql); $sth->execute($customer_id);` [download] Execute takes an array of values and subs them in order for the ?'s in the sql statement. It will quote/not quote as nessecary. Should be sufficient to prevent sql injection issues.	[reply] [d/l]

Replies are listed 'Best First'.

Re^2: CGI (in)security
by amw1 (Friar) on Jun 15, 2004 at 13:36 UTC

DBI will do the quoting for you automatically if you use the bind params format. Something like

untested and no error checking

$sql = "select name from customer_table where customer_id = ?";
$sth = $dbh->prepare($sql);
$sth->execute($customer_id);
[download]

[reply]
[d/l]