Jon and Jenny Steltenpohl wrote:
> I'm trying to set up my MySQL database to serve up a weblog a la
> slashdot, and I'm wondering if DBI::MySQL has any functionality to
> scan a text entry for malicious embedded code. I don't see it in the
> DBI info, and I really don't suppose it should be in there.
There is no such functionality than you request. What kind
of malicious code do you consider?
Do you want to embed code in a shell command? Don't! (See the
perlsec man page.) If you really need, use the quotemeta
function or better use
system "a", "b", "c", "d"
rather than
system "a b c d"
If you want to insert code into SQL statements, the method
$dbh->quote() or placeholders will be of help.
Otherwise the general rul of thumb is: Never detect malicious
code! Instead detect fine code (using a regex for correct code)
and not vice versa.
Bye,
Jochen
