in reply to Re^3: untainting or encoding for shelled sqlplus update
in thread untainting or encoding for shelled sqlplus update

Perhaps true...though if there is a lot of code, it's going to be a lot of work no matter what (not just creating "a DBI handle"). I imagine theres a lot of code with interpolated varables, e.g.
my $sql = <<EOT
select blah, blahblah
from blah_etc
where foo = '$bar'
EOT

[download]
For the least amount of work, I might use something like Interpolate and turn that in to something like:
my $sql = <<EOT
select blah, blahblah
from blah_etc
where foo = $quote{$bar}
EOT

[download]
(with %quote properly defined through Interpolate)

But even that is a lot of tedious work if there is a lot of SQL to change. I could be wrong, but I don't think it would be much more work to just go ahead and use DBI to execute the SQL and return results.

Replies are listed 'Best First'.
Re^5: untainting or encoding for shelled sqlplus update
by goibhniu (Hermit) on May 15, 2008 at 21:05 UTC

    I've been looking at Interpolate. How would that take care of bad characters in $bar in your example?

    #my sig used to say 'I humbly seek wisdom. '. Now it says:
    use strict;
    use warnings;
    I humbly seek wisdom.
[reply]
      Start with what Herkum suggests above. Make one database handle. But then create a function that (maybe untaints the data and then) calls $dbh->quote() on its argument and returns the results, then use Interpolate to tie a hash to that function. Or, don't use DBI, and just wing it to create your own escaping function.
[reply]
[d/l]

In Section Seekers of Perl Wisdom