List:MySQL and Perl« Previous MessageNext Message »
From:Jochen Wiedmann Date:August 22 2000 10:35am
Subject:Re: Problem quoting parameters in execute()
View as plain text  

Christian Jaeger wrote:

> The problem arises in practical use when you expect a user input to be a
> number, do some == comparison first, and then use the same variable as
> input for execute. Current workarounds include comparing numbers stringwise
> instead ("5" eq $var) or checking user input myself being a number. (If you
> don't, you risk at least your application to die on string input and hence
> in case of fastcgi being an easy target for denial of service attacks.)

The simplest way of conversion is using

	int($var)

If you want to detect wrong input: Enable warnings and use the
$SIG{__WARN__} handler.


> My question is also if there are reasons fpr DBD::mysql to differentiate
> between numbers and strings. As far I have seen, mysql doesn't bother at
> all about numbers being quoted or not, so it would probably be safe just to
> quote any input.

The reason is portability to mSQL.

Bye,

Jochen
Thread
Re: Problem quoting parameters in execute()Christian Jaeger22 Aug
Re: Problem quoting parameters in execute()Jochen Wiedmann22 Aug