D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] perl question

 

Steve Marvell wrote:
> 
> Let's hope $variable doesn't become something like ...
> 
> sponge'; drop database blah;
> 
> ... shall we :)

I believe (at least for most database drivers) that the Perl DBI module
only allows one statement per statement handle.

Thus you have to be more imaginative in the SQL you inject into Perl
scripts. Using a sub-clause to rip information from user/password tables
or calling procedures are the usual methods (so I'm told).

But don't worry the bad guys are really good at that sort of thing.

> Passing variables through the execute process is very very safe. It
> quotes, escapes and is rather splendid all round.

... and can be faster. It will be faster if you do the same query
repeatedly.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html