Christian Jaeger wrote:
> The problem arises in practical use when you expect a user input to be a
> number, do some == comparison first, and then use the same variable as
> input for execute. Current workarounds include comparing numbers stringwise
> instead ("5" eq $var) or checking user input myself being a number. (If you
> don't, you risk at least your application to die on string input and hence
> in case of fastcgi being an easy target for denial of service attacks.)
The simplest way of conversion is using
int($var)
If you want to detect wrong input: Enable warnings and use the
$SIG{__WARN__} handler.
> My question is also if there are reasons fpr DBD::mysql to differentiate
> between numbers and strings. As far I have seen, mysql doesn't bother at
> all about numbers being quoted or not, so it would probably be safe just to
> quote any input.
The reason is portability to mSQL.
Bye,
Jochen
