in reply to MySQL Data Insertion Errors w/ Perl

When you point out line 246, the first thing that I noticed is that this piece of code that you've downloaded does not use SQL placeholders. Read more about SQL placeholders.

Since this script uses DBI, the DBI module should take care of the single-quote problem that you explain.

Also, since you state that you are "not very adept at Perl", I have a suggestion for you. First would be to stop using this script in favor of one that has better security (lack of SQL placeholders is considered a high security risk if end users are allowed to enter values that are going into the SQL. Super Search or Google on "SQL injection attack". Alternately, you can get more adept at Perl -- or hire someone who already is -- if you're set on continuing usage of this script.

-Yendor

IWeThey
HOPE Ride

  • Comment on Re: MySQL Data Insertion Errors w/ Perl

Replies are listed 'Best First'.
Re^2: MySQL Data Insertion Errors w/ Perl
by ingsoc747 (Acolyte) on Nov 19, 2004 at 16:43 UTC
    I understand the risk of SQL injection attacks; however, I don't think that it is really a problem in this situation because this script will be used only by me to update the inventory daily. It will not be hosted on the website. I am, however, attempting to update the script to use placeholders. In addition to its advantages, it will help me to learn Perl a little bit better :) Thanks.
[reply]
      OK, so you can trust the user of the script. Fair enough. Do you trust the data that you are feeding to it? Your data is, effectively, executable code.
[reply]

In Section Seekers of Perl Wisdom