Dave's Brain

Browse - Programming Tips - How do I prevent SQL injection attacks when using Perl's DBI

Date: 2008jan11
Keywords: mysql, postgresql
Language: perl

Q.  How do I prevent SQL injection attacks when using Perl's DBI

A.  Use the quote() method.  Like this:

use DB; use strict; sub unsafe($$) { my($dbh, $name) = @_; my($sql, $sth); $sql = qq(SELECT * FROM customers WHERE name = '$name'); $sth = $dbh->prepare($sql); # ... } sub safe($$) { my($dbh, $name) = @_; my($sql, $sth); $name = $dbh->quote($name); # Safely add quotes $sql = qq(SELECT * FROM customers WHERE name = $name); $sth = $dbh->prepare($sql); # ... }
Besides preventing an injection attack it, more mundanely, permits single quotes in strings. Eg name = O'Hara. Related http://www.davekb.com/search.php?target=perl+DBI http://www.davekb.com/search.php?target=mysql

Add a comment

Sign in to add a comment
Copyright © 2008-2017, dave - Code samples on Dave's Brain is licensed under the Creative Commons Attribution 2.5 License. However other material, including English text has all rights reserved.