[PLUG] SQL insertion attacks

Bear Giles bgiles at coyotesong.com
Wed Oct 30 18:53:52 UTC 2002


> For Perl, the key thing is *** use DBI placeholders ***.  It's amazing
> how many people don't do that, and instead try to substitute into the
> text.  Bleh.

I'm sure Perl doesn't have this problem :-), but you have to be careful
because some implementations just blindly substitute the text in the
query sent to the RDBMS and using placeholders gains you nothing.

To be absolutely safe, you need to explicitly encode the data sent to
the database to mask any metacharacters.

Bear




More information about the PLUG mailing list