[index] [text page] [<<start] [<prev] [next>] [last>>]
Page 37: Modifing user data

Page 37

  
  Modifing user data
  Sometimes you can modify the data to make it less harmful.
  Example:  You want to
  Read an SQL select statement from the user.
  Allow reads only, no updates, etc.
     $_=param('sql');
     s/ ^ \s* select \s+ //xg;  # strip the initial 'select'
     $_ = "select $_";          # put it back
     $_ =~ s/ \b into \b /;     # remove the ability to use
                                # 'select ... into'
  This can break though.  (All 'into's removed...)

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at SPUG, 2003.

Presentation created using vim and MagicPoint.