[index] [text page] [<<start] [<prev] [next>] [last>>]
Page 38: A better way
Page 38

  
  A better way
  Instead of 'sanitizing' user input, you can gather the input in a better fashion.
  Example using DBI's positional parameters
    my $col1=param('col1');  
    my $col2=param('col2');
    my $col3=param('col3');
    my $sql = "select ?,?,? from sometable";
    $sth->exectue( $col1, $col2, $col3 );
  Since the user input is sent as parameters, rather than in the string, no chance for SQL trickery.

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at SPUG, 2003.

Presentation created using vim and MagicPoint.