Vulnerability Development mailing list archives
Re: malformed sql queries
From: Patrik Birgersson <pbirgersson () telia com>
Date: Tue, 1 Jan 2002 00:55:17 +0100
On Sat, 29 Dec 2001 20:59:51 -0300 "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar> shouted:
A common query:
(1) SELECT * from table WHERE id=$id
where $id is a variable that the web progammer use to perform
the query.
This implies that the variable is potentially revalueable (if
is not checked
before using it).
I may be out of line here, and I've read the replies about filtering input. However, using Perl CGI + DBD/DBI, Apache and MySQL I writes my DB queries like this: $sth = $dbh->prepare ("SELECT * FROM table WHERE param = ?"); $sth->execute ($param) This (as I understand) prevents SQL injection into the query since I don't have the variables directly in the query, but supply them upon query execution. If I'm all wrong here, please let the flames begin.... Patrik Birgersson "No man is good enough to govern another man without that other's consent." - Abraham Lincoln (1809 - 1865)
Current thread:
- Re: malformed sql queries Patrik Birgersson (Dec 31)
- Re: malformed sql queries Stefan Tomlik (Jan 01)