[ic] "==" and "!=" as DB field values
Stefan Hornburg
racke at linuxia.de
Tue Oct 28 17:08:35 EST 2003
On Tue, 28 Oct 2003 09:37:08 -0500
Doug Alcorn <doug at lathi.net> wrote:
> Stefan Hornburg <racke at linuxia.de> writes:
>
> > $Db{products}->query("select * from products where name = '$CGI->{foo}'");
> >
> > => that's unsafe IMHO
>
> Just to clarify, if
>
> $GCI->{foo} = "'; delete from products;'"
>
> Then there could be problems. In this case, you should escape any
> single quotes in $CGI->{foo}.
>
> [perl]
> # racke says my perl is "rusty", so take this with a few grains of sandpaper
> my $foo = $Tag->filter('sql', $CGI->{foo});
> my $ref = $Db{products}->query("select * from products where name = '$foo'");
> [/perl]
With 5.0- you can do (AFAIK)
$Db{products}->query("select * from products where name = %s", $CGI->{foo});
Ciao
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the interchange-users
mailing list