Re^2: Cookie login (pseudocode)

Constrain what will be accepted as userid/password combinations so that someone cannot add a bit of sql to the end of the login string and read your whole user base.

No! Use place holders in the first place, then you don't even have to sanitize the user input for DB operations.

Comment on Re^2: Cookie login (pseudocode)

Replies are listed 'Best First'.
Re^3: Cookie login (pseudocode) by Akoya (Scribe) on Feb 20, 2008 at 15:32 UTC
Moritz, Please elaborate on the use of place holders for this purpose. I have a similar need, and I'm not sure what you are recommending here. Thanks, --Akoya.	[reply]
Re^4: Cookie login (pseudocode) by Spidy (Chaplain) on Feb 20, 2008 at 15:59 UTC
Akoya, the DBI module will sanitize the parameters you pass in to placeholders in a prepared statement: `my $sth = $dbh->prepare("SELECT * FROM foo WHERE bar = ?"); $sth->execute("my 'scary variable here';");` [download] Whereas if you just did it using `$dbh->do()`: `$dbh->do("SELECT * FROM foo WHERE bar = " . "my scary 'variable here'; +");` [download] You would have a problem, because the ' and ; characters would not have been escaped - and would therefore do Bad Things™ to your database. website army	[reply] [d/l] [select]
Re^4: Cookie login (pseudocode) by hpavc (Acolyte) on Feb 20, 2008 at 17:55 UTC
my $sth = $dbh->prepare("update thetable set that=? where this=?"); $sth->execute($that, $this) I believe he means that $this and $that are sql safe below. $this could easily be "1;delete from thetable" the engine would merely look for column data of that string, not append the information. Unlike something like ... my $sth = $dbh->prepare("update thetable set that=$that where this=$this");	[reply]