>>>>> "Henrik" == Henrik Steffen <steffen@city-map.de> writes:
Henrik> yes, input is coming from a web form.
Henrik> my SQL() function uses DBD::Pg in Perl
Henrik> and it does the following:
Henrik> sub SQL {
Henrik> my $command=shift;
Henrik> ...
Henrik> $sth=$db->prepare($command);
Henrik> $sth->execute();
Henrik> ...
Henrik> }
Which is not the way to do it if there are any values. You should
be using placeholders, which properly escape the data so the calamity
and security whole you described would never have happened.
my $sth = $dbh->prepare("UPDATE atable SET col1 = ? WHERE col2 = ?");
$dbh->execute($col1_value, $col2_value);
That's the Right Way.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
