List:MySQL and Perl« Previous MessageNext Message »
From:Jochen Wiedmann Date:March 20 2000 8:03pm
Subject:Re: Does DBI::MySQL have any way to scrub text entries displayed onweb
pages?
View as plain text  
Jon and Jenny Steltenpohl wrote:

> I'm trying to set up my MySQL database to serve up a weblog a la
> slashdot, and I'm wondering if DBI::MySQL has any functionality to
> scan a text entry for malicious embedded code.  I don't see it in the
> DBI info, and I really don't suppose it should be in there.

There is no such functionality than you request. What kind
of malicious code do you consider?

Do you want to embed code in a shell command? Don't! (See the
perlsec man page.) If you really need, use the quotemeta
function or better use

	system "a", "b", "c", "d"

rather than

	system "a b c d"


If you want to insert code into SQL statements, the method
$dbh->quote() or placeholders will be of help.

Otherwise the general rul of thumb is: Never detect malicious
code! Instead detect fine code (using a regex for correct code)
and not vice versa.


Bye,

Jochen

Thread
Does DBI::MySQL have any way to scrub text entries displayed onweb pages?Jon and Jenny Steltenpohl15 Mar
  • Re: Does DBI::MySQL have any way to scrub text entries displayed onweb pages?Mark Lybrand15 Mar
  • Re: Does DBI::MySQL have any way to scrub text entries displayed onweb pages?Jochen Wiedmann20 Mar