Re: Securing DB transactions with user form input

"If so, I'm thinking this should just be standard practice for any and all DB transactions that pass user input to an sql statement."

Perhaps. But consider other languages such as PHP that don't have placeholders. I find that the standard practice is to use id's wherever you can -- such as a drop down boxes of items. Don't pass the value of the drop down -- pass in the id number for that value and translate it back before you issue your query.

my $id = $q->param( 'start_date_id' );

my $date = $dates[$id]; # etc. maybe add real validation

my $sth = $dbh->prepare( 'SELECT this FROM that WHERE date = ?' );
$sth->execute( $date );
[download]

Comment on Re: Securing DB transactions with user form input Download Code

Replies are listed 'Best First'.
Re^2: Securing DB transactions with user form input by eric256 (Parson) on Feb 04, 2008 at 18:04 UTC
FYI even PHP users should use placeholders (its one of my pet peve's) the code at http://us3.php.net/manual/en/function.mysql-real-escape-string.php#64194 allows you to use psuedo place holders even in PHP :) ___________ Eric Hodges	[reply]
Re^3: Securing DB transactions with user form input by Anonymous Monk on Feb 04, 2008 at 18:58 UTC
I was this close to doing just that and rolling my own ... but, as much as I would love to use that code here at work, I just don't think my co-workers would understand. :( Thanks for the tip!	[reply]