in reply to Re^2: SQL Injection myths under DBI
in thread SQL Injection myths under DBI?

Prematurely breaking a select can be just as bad as inserting additional statements; consider this: 
my ($id) = $dbh->selectrow_array("SELECT id FROM users WHERE NAME='$na
+me' AND PASSWORD='$password'");

[download]

If I somehow manage to break the SQL statement in $name, my password will not be checked! Without a good quoting mechanism, you could break that with 

$name = "admin\'\0";

[download]
or even 
$name = "admin';";

[download]
Or whatever kind of escapes your specific DBD/database combination will allow. This is the main reason for using $dbh->quote() and placeholders - the quoting mechanism can be different for different databases, and they are a little more complex than you imagine. In effect, all you're doing is trying to reinvent the $dbh->quote() method.

Why reinvent the wheel when there already is one that's been especially made for your type of car, has been checked and double-checked, and is already safely attached to your car?

"What should it profit a man, if he should win a flame war, yet lose his cool?"

Replies are listed 'Best First'.
Re^4: SQL Injection myths under DBI
by itub (Priest) on Apr 12, 2005 at 14:02 UTC
    Why reinvent the wheel when there already is one that's been especially made for your type of car, has been checked and double-checked, and is already safely attached to your car?

    ++ I love that! This quote should be added to the next edition of the Camel book!

[reply]

In Section Meditations