Re: sql injection

new topic     » goto parent     » topic index » view thread      » older message » newer message
Shawn Pringle said...

There was a way perl implementers of the db libraries avoided sql injection attacks. You would pass the values you were sending outside of the string:

So the statement woudl be passed as: insert into tablefoo values (?,?,?,?) and then for each actual execution you would send the four values as part of an argument list.

I don't know if the .e libraries allow you to do the same thing but they ought to.

That's really a job for the database library you are using because different database servers escape characters differently. Some may use '' to escape a single quote, others will use \'. Now, the way I did it in my unfinished DBI library was to allow you to do things such as: 

dt:datetime now = dt:now() 
sequence name = "John Mc'Doe" 
atom salary = 100500.52 
integer age = 11 
sequence comparator = ">" 
 
db:execute(dbh, "UPDATE people SET updated_at=%D, name=%s, salary=%.2f, age=%d WHERE id %S 100", 
    {now, name, salary, age, comparator})

The escape codes keep with sprintf as much as possible. The %D converts a datetime.e datetime type into a SQL valid date time string, the %s escapes and quotes the content, the %f, %d work the same as printf, %S is a non-escaped, non-quoted string.

Jeremy

new topic     » goto parent     » topic index » view thread      » older message » newer message

Search



Quick Links

User menu

Not signed in.

Misc Menu