[PLUG] SQL insertion attacks
Randal L. Schwartz
merlyn at stonehenge.com
Thu Oct 31 13:00:37 UTC 2002
>>>>> "Randal" == Randal L Schwartz <merlyn at stonehenge.com> writes:
Randal> Hint: this is wrong:
Randal> my $search_for = param('search_for');
Randal> my $query = "SELECT name, address FROM atable WHERE name = '$search_for'";
Randal> For Perl, the key thing is *** use DBI placeholders ***. It's amazing
Randal> how many people don't do that, and instead try to substitute into the
Randal> text. Bleh.
Heh. I was wondering why this was sounding so familiar.... I wrote a
column on this very subject a few months ago.
See the text at <http://www.stonehenge.com/merlyn/LinuxMag/col40.html>.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
More information about the PLUG
mailing list