Re: sql injection
- Posted by Jeremy Cowgar Jul 13, 2008
- 718 views
There was a way perl implementers of the db libraries avoided sql injection attacks. You would pass the values you were sending outside of the string:
So the statement woudl be passed as: insert into tablefoo values (?,?,?,?) and then for each actual execution you would send the four values as part of an argument list.
I don't know if the .e libraries allow you to do the same thing but they ought to.
That's really a job for the database library you are using because different database servers escape characters differently. Some may use '' to escape a single quote, others will use \'. Now, the way I did it in my unfinished DBI library was to allow you to do things such as:
dt:datetime now = dt:now() sequence name = "John Mc'Doe" atom salary = 100500.52 integer age = 11 sequence comparator = ">" db:execute(dbh, "UPDATE people SET updated_at=%D, name=%s, salary=%.2f, age=%d WHERE id %S 100", {now, name, salary, age, comparator})
The escape codes keep with sprintf as much as possible. The %D converts a datetime.e datetime type into a SQL valid date time string, the %s escapes and quotes the content, the %f, %d work the same as printf, %S is a non-escaped, non-quoted string.
Jeremy