in reply to Re: is this mentality safe?
in thread is this mentality safe?

I stand under correction, but I would say yes. The reason being that everything in a placeholder goes via $dbh->quote(), so unless there is a bug in the quoting code, it should be fine.

Also, DBI runs only one command at a time, so sticking two commands in there (as is usually done with SQL injections), shouldn't succeed.

YMMV

clint

Replies are listed 'Best First'.
Re^3: is this mentality safe?
by Anonymous Monk on May 19, 2007 at 02:44 UTC

    Yes, the DBI documentation says that only one command should be run at a time. That is more of a recommendation of how the DBI is intended to be used. It is not necessarily descriptive of what will be accepted. Whether multiple commands are accepted is up to the individual drivers and databases:

    In ODBC terms, the DBI is in "pass-thru" mode, although individual drivers might not be.
    - The DBI documentation

    I have seen DBD::Mysql and DBD::Sybase accept multiple commands at a time. I don't know about other drivers.

    But, as you say, unless there's a bug in the quoting code, placeholders are quite safe. They won't necessarily prevent you from running multiple commands at once, but they will prevent user-supplied data from being interpreted as SQL commands.

[reply]

In Section Seekers of Perl Wisdom