Re: Problem quoting parameters in execute() - Jochen Wiedmann - com.mysql.lists.perl

2 messages in com.mysql.lists.perlRe: Problem quoting parameters in exe...

From	Sent On	Attachments
Christian Jaeger	22 Aug 2000 02:58
Jochen Wiedmann	22 Aug 2000 03:35

Subject:	Re: Problem quoting parameters in execute()
From:	Jochen Wiedmann (jo...@ispsoft.de)
Date:	08/22/2000 03:35:20 AM
List:	com.mysql.lists.perl

Christian Jaeger wrote:

The problem arises in practical use when you expect a user input to be a number, do some == comparison first, and then use the same variable as input for execute. Current workarounds include comparing numbers stringwise instead ("5" eq $var) or checking user input myself being a number. (If you don't, you risk at least your application to die on string input and hence in case of fastcgi being an easy target for denial of service attacks.)

The simplest way of conversion is using

int($var)

If you want to detect wrong input: Enable warnings and use the $SIG{__WARN__} handler.

My question is also if there are reasons fpr DBD::mysql to differentiate between numbers and strings. As far I have seen, mysql doesn't bother at all about numbers being quoted or not, so it would probably be safe just to quote any input.

The reason is portability to mSQL.

Bye,

Jochen