Re: DBI: CREATE USER statement fails

Discussion in 'Perl Misc' started by Alan Curry, Dec 21, 2013.

  1. Alan Curry

    Alan Curry Guest

    In article <>,
    Kai Schaetzl <> wrote:
    >
    >/testmysqluser.pl testuser4 "testuser4-test"
    >DBD::mysql::db do failed: String 'testuser4' IDENTIFIED BY ' is too long for user name
    >(should be no longer than 16) at ./testmysqluser.pl line 19.

    [...]
    >
    >$sql = "CREATE USER '$user'@'localhost' IDENTIFIED BY '$password'";
    >


    Notice how the localhost part didn't show up in the error message? That's a
    clue. A bigger clue can be seen if you'd just enable warnings:

    Possible unintended interpolation of @::localhost in string at - line 4.
    Name "main::localhost" used only once: possible typo at - line 4.

    To put an @ character in a qq string you need to use \@ or you'll be
    interpolating an array.

    @'localhost is equivalent to @::localhost because of compatibility with an
    ancient perl version that wasn't trying to look like C++.

    --
    Alan Curry
     
    Alan Curry, Dec 21, 2013
    #1
    1. Advertising

  2. Ben Morrow <> writes:
    > Quoth Alan Curry <>:
    >> In article <>,
    >> Kai Schaetzl <> wrote:
    >> >
    >> >/testmysqluser.pl testuser4 "testuser4-test"
    >> >DBD::mysql::db do failed: String 'testuser4' IDENTIFIED BY ' is too

    >> long for user name
    >> >(should be no longer than 16) at ./testmysqluser.pl line 19.

    >> [...]
    >> >
    >> >$sql = "CREATE USER '$user'@'localhost' IDENTIFIED BY '$password'";
    >> >

    >>
    >> Notice how the localhost part didn't show up in the error message? That's a
    >> clue. A bigger clue can be seen if you'd just enable warnings:
    >>
    >> Possible unintended interpolation of @::localhost in string at - line 4.
    >> Name "main::localhost" used only once: possible typo at - line 4.
    >>
    >> To put an @ character in a qq string you need to use \@ or you'll be
    >> interpolating an array.

    >
    > If the OP had used placeholders and a single-quoted string this problem
    > would have never existed:
    >
    > my $sql = 'CREATE USER ?@? IDENTIFIED BY ?';
    > $dbh->do($sql, undef, $user, "localhost", $password);
    >
    > This will also avoid potential SQL-injection problems if $password
    > contains a single-quote character.


    This deserves some emphasis: The sole reason why 'SQL injection' exists
    at all is because people construct complex SQL-statements via string
    interpolation and get the quoting wrong because this is much more
    complicated than simply passing a template statement with placeholders
    to 'the DB engine' (however implemented) and a list of
    parameters. Programming is not a sport abnd there are no consolation
    prizes for "trying hard to accomplish something stupid and failing at
    that". Use the simple way.
     
    Rainer Weikusat, Dec 22, 2013
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ulloa
    Replies:
    1
    Views:
    538
    Juha Laiho
    Jul 22, 2004
  2. Jerome Hauss
    Replies:
    0
    Views:
    181
    Jerome Hauss
    Oct 13, 2004
  3. Asby

    Mason, DBI, and DBI::Pg

    Asby, Jul 24, 2003, in forum: Perl Misc
    Replies:
    0
    Views:
    186
  4. Tim Haynes
    Replies:
    3
    Views:
    148
    Ron Reidy
    Sep 13, 2003
  5. gamo
    Replies:
    0
    Views:
    87
Loading...

Share This Page