Re: SQL Injection Basics

["dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>]

> perl/DBI/DBD to access a database like mysql, works great, and you don't
> even have to think about security, just remember to pass any variables in as
> bind variables.  Here's an example:
>         use DBI;
>         $dbh = DBI->connect("DBI:$dbsystem:$dbname", $dbuser, $dbpass);
>         $sth = $dbh->prepare("INSERT INTO contacts (name,email) VALUES
> (?,?)");
>         $sth->execute($name,$email);
true. Yes but I think we need to be paranoid anyhow.
> Some people mentioned that if you use prepared statements "you lose
> compatibility with different database systems."  If I understand DBI
> correctly, it was designed so the code written above will work with any
> database with only one modification: updating the global variable $dbsystem
> from "mysql" to "oracle" for example.  Of course if you the database you're
> switching to has different "features" than the one you're switching from,
> there's nothing DBI can do to help you with that.
That is the intent of DBI::
Although this is the one I am most familiar with it is very specific.
> So I would go so far as to say using DBI's prepared statements for database
> interaction is considered a "best practice" for securely accessing a
> database in perl.  I'm curious if there's a central repository of other such
> "best practices" for other languages (ASP, java, PHP, etc.).  I went to
AFAIK there isn't any for the langs you mention. 

Best Regards,
dreamwvr () dreamwvr com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                                                             
# Note: To begin Journey type man afterboot,man help,man hier[.]      
#                                                             
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]