![]() I've used DBI nearly daily in the last few years, and I rarely needed constants. Tainting would also have been my answer to the problem of mixing untrusted user input with SQL fragments.įor constants (your "hard-coded literals"), I really don't care. ![]() Note that the SQL statement would be tainted as soon as you interpolate tainted variables into it. We've already got taint mode and you can set DBI to reject tainted values ( DBI->connect(., )), but that's about as close as you're likely to be able to get. On receiving the query " SELECT * FROM foo WHERE bar = 'baz'", how would DBI know whether it had been called as $dbh->selectall_arrayref("SELECT * FROM foo WHERE bar = 'baz'") (which is fine - the baz is a hard-coded literal) or as $dbh->selectall_arrayref("SELECT * FROM foo WHERE bar = '$myvar'") (which is potentially dangerous)? Even if it could make that determination, in the latter case, how would it know whether $myvar's value came from user input (unsafe) or the statement my $myvar = 'baz' (another hard-coded literal, so safe)? Worse than that, it would simply be impossible to do. Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". I would prefer that DBI issued a warning or even refuse to work with inline values, but that would add a lot of overhead, as DBI would need to actually parse the SQL statement. Since most database support parameters, there is no need for quoting or modification of the SQL statement, the values are simply passed through a different part of the communication channel to the database, and so the database can optimize and cache much better than with inline values. Each database driver (DBD::Whatever) must support placeholders, and together with the DBI, it will take care of proper quoting if needed. ![]() Placeholders are part of the DBI specification, so you can use them with ANY database and pseudo-database supported by DBI. That usually means that you are vulnerable to SQL injection, and you prevent any caching of prepared statements.Īlways use placeholders, even if the underlying database does not support placeholders. ![]() You have a second problem: You don't use placeholders. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |