in reply to Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

Ran your code on IBM UDB version 9.5.0 on Linux 2.6.9 i386. 
$ perl -w 661423.pl 
Connected OK to DBD::DB2::VIPER.
Clear out existing data from the test table ..
Add (44,Some benign text) to the test table ..
Add (55,Just regular data) to the test table ..
Add (66,Evil data');DELETE FROM jobs;) to the test table ..
Dump out the result.
'44', 'Some benign text'
'55', 'Just regular data'
'66', 'Evil data');DELETE FROM jobs;'
3 rows

[download]
However, I would in most cases favor stored procedures as main way of interacting with a database. Benefits includes both security (which includes preventing SQL injection attacks - simply because you don't get to create dynamic SQL) and performance.
--
Andreas
  • Comment on Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
  • Download Code

In Section Meditations