in reply to Re^2: Preventing malicious T-SQL injection attacks
in thread Preventing malicious T-SQL injection attacks

I've tested this bit:

my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC};

It doesn't work. It produced a load of '?' in a row.

Erm... yes. That's what it is supposed to do. It produces an SQL statement with the correct number of placeholders in it (a placeholder is marked with a question mark).

What were you expecting it to produce?

Also, I am having problems adapting the code like follows:

my @procs = qw/recept/;

unless (exists $procs{$SPROC}) {
  die "Unknown stored proc: $SPROC\n";
}

[download]

Clearly there is a difference between hashes and arrays when it comes to using the exist function.

Clearly :-)

For example. hashes are indexed with strings and arrays are indexed with integers. So trying to see if a string key exists in an array is always going to be doomed to failure.

But actually, that's not what you're doing is it? You're setting up an array and then looking for a key in a non-existant hash.

Has someone recommended that you use "strict" and "diagnostics" in your code? Because that would have explained what your problem is here.

--

<http://dave.org.uk>

"The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg

Replies are listed 'Best First'.
A reply falls below the community's threshold of quality. You may see it by logging in.

In Section Seekers of Perl Wisdom