in reply to Preventing malicious T-SQL injection attacks

I second the idea of whitelisting the acceptable values for $SPROC and also using placeholders to insert the elements of @CHOICE into the SQL.

Combining the two ideas, might give something like this:

# %procs contains the names of the valid stored procs
# together with the number of parameters each requires
my %procs = (
  proc1 => 2,
  proc2 => 0,
  proc3 => 1,
  # ...
);

unless (exists $procs{$SPROC}) {
  die "Unknown stored proc: $SPROC\n";
}

my $sql = "EXEC $SPROC ".
          join ', ', ('?') x $procs{$SPROC};

my $sth = $dbh->prepare($sql);
$sth->execute(@CHOICE);

[download]

This code also has the advantage of dieing if the number of elements in @CHOICE doesn't match the expected number of parameters.

--

<http://dave.org.uk>

"The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg

Replies are listed 'Best First'.
A reply falls below the community's threshold of quality. You may see it by logging in.
A reply falls below the community's threshold of quality. You may see it by logging in.
A reply falls below the community's threshold of quality. You may see it by logging in.

In Section Seekers of Perl Wisdom