Re: Secure Regular Expression Check

Your user could provide the string user' OR 1 --, which means that the query always returns all rows in the table.

A better protection is the usage of placeholders, as demonstrated in the DBI documentation:

my $query = $dbh->prepare(= "select name, pass from unpw where name = 
+?");
# no checking needed here:
$query->execute($entered_un);
[download]

Comment on Re: Secure Regular Expression Check Select or Download Code

Replies are listed 'Best First'.
Re^2: Secure Regular Expression Check by jettero (Monsignor) on Sep 09, 2008 at 14:21 UTC
(Additionally, even if the DBD doesn't support bind variables, the DBI still provides quote(), which will probably do a 100% better job than a hand-rolled regex any day.) -Paul	[reply]
Re^2: Secure Regular Expression Check by jvector (Friar) on Sep 09, 2008 at 17:23 UTC
In danger of going OT, but could not resist the chance to share this picture (commentary is in Spanish but yuo get the idea). It is a number plate with the text `'OR 1=1; --` ...designed to effect a SQL injection attack on ANPR cameras!	[reply] [d/l]
Re^3: Secure Regular Expression Check by moritz (Cardinal) on Sep 09, 2008 at 17:26 UTC
How very cool ;-) I assume you also know about Bobby Tables?	[reply]
Re^4: Secure Regular Expression Check by Lawliet (Curate) on Sep 09, 2008 at 19:18 UTC
That is exactly what I thought of when I read the OP. I'm so adjective, I verb nouns! chomp; # nom nom nom	[reply]
Re^4: Secure Regular Expression Check by jvector (Friar) on Sep 10, 2008 at 09:07 UTC
Classic ;-)	[reply]