Re: [htmltmpl] [Question] H::T and DBI => stuffing query info into <TMPL_LOOP>'s
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] [Question] H::T and DBI => stuffing query info into <TMPL_LOOP>'s
|
From: Mathew R. <mat...@re...> - 2004-04-14 21:48:13
|
> >What has Perl's string interpolation got to do with DBI? > > > >"SELECT * FROM $working_tbl WHERE first=3D'one' ORDER BY Location" > > > >The variable $working_tbl will be interpolated by Perl, long before = DBI=20 > >ever gets to see the SQL statement, due to the double-quote. >=20 > $working_tbl may come from some kind of user input, which opens you up = to=20 > SQL injection attacks. Most databases don't allow placeholders for = the=20 > table name. It's best to use DBI->quote() whenever you absolutely = must=20 > interpolate a variable into an SQL statement. no - you should never take any kind of user input without doing input = validation -> otherwsie you are asking for trouble. Also, DBI->quote() will not help with the example written above, as Perl = will interpolate the vairable into to string, due to the double-quotes. = You are correct that most databases wont use variable table names, but = the syntax was not written like: "SELECT * FROM ? WHERE ..." Mathew |
