Re: Security with a MEMO field

merylyn is right. Use placeholders in your DBI statements (that is, do:

 $sth = $dbh->prepare("INSERT INTO dork (memo) VALUES (?)");
 $sth->execute($unsafe_memo);
[download]

However, the real question is: what will you do with the memo? If all you'll ever do is put it in the DB (I doubt that), placeholders are enough. Otherwise, think ahead.

You should examine what you want to do with it in the future (e.g. display it next to the item it is a memo for on a web page, in plain text, etc.). Then, you should take care to properly escape and/or encode it when it comes out of the database en route to its other use.

In general, it's best to regard the database text fields as untrustworthy dens of iniquity that must be treated just like inbound CGI params (whence those fields usually came).

Finally, there is another option: filter it coming in so that it can contain only safe things for its intended purpose. However, this should generally only be done in rather limited circumstances.

Comment on Re: Security with a MEMO field Download Code

Replies are listed 'Best First'.
Re^2: Security with a MEMO field by other90percent (Sexton) on Jun 10, 2005 at 08:03 UTC
Placeholders are a good idea, and if you're worried about gremlin characters, DBI placeholders will get you through a few hoops safely - like the INSERT into the database. But there are many other kinds of hoops, and you will invent new ones. other90percent will now expound at length on data paranoia... Read more... (3 kB) Feel free to add more hoops and taint checks in reply....	[reply]