in reply to Re^5: DBH Insert of Binary Data
in thread DBH Insert of Binary Data

#!perl -w
use strict;
use DBI;

my $dbh = DBI->connect('DBI:mysql:database=test','xxx','yyy',) || die;
print $dbh->quote(q{Boston;DELETE FROM myTable});
__END__
'Boston;DELETE FROM myTable'

[download]

I don't see your point. If any DBD driver let's this through, (and DBD::mysql doesn't), it's a major bug. Yes, it might be inefficient, but it should never lead to a security risk if used correctly.

"What should it profit a man, if he should win a flame war, yet lose his cool?"

Replies are listed 'Best First'.
Re^7: DBH Insert of Binary Data
by jZed (Prior) on Mar 19, 2005 at 01:39 UTC 
    > If any DBD driver let's this through, (and DBD::mysql 
> doesn't), it's a major bug.
    Agreed.
[reply]
      So now I'm getting curious: are there DBD drivers where you could get an SQL injection attack while still using the quote method correctly?

      Just to make myself as clear as I can: I agree that using placeholders is usually the best and most efficient technique, but I am under the impression that using quote() would (or at least, should) catch all attempts of "breaking out of" an SQL value.

      updated: s/attact/attack/

      "What should it profit a man, if he should win a flame war, yet lose his cool?"
[reply]
        > are there DBD drivers where you could get an SQL injection
> attact while still using the quote method correctly?
        Not that I know of.
[reply]

In Section Seekers of Perl Wisdom