U
Ulrich Herbst
Hi!
I want to insert data from user input into a database (with DBI):
my $sth = $dbh->prepare(q(
INSERT INTO table
(col1,col2,col3)
VALUES (? ,? ,? )
));
my $rc=$sth->execute($data1,$data2,$data3);
Have I to deal with SQL Injection if I use DBI placeholders ?
With other words: Have I to "untaint" $data1, $data2, $data3 ?
(Yes, I know, that bind variables/placeholders can be much faster)
Uli
--
'''
(0 0)
+------oOO----(_)--------------+
| |
| Ulrich Herbst |
| |
+-------------------oOO--------+
|__|__|
|| ||
ooO Ooo
I want to insert data from user input into a database (with DBI):
my $sth = $dbh->prepare(q(
INSERT INTO table
(col1,col2,col3)
VALUES (? ,? ,? )
));
my $rc=$sth->execute($data1,$data2,$data3);
Have I to deal with SQL Injection if I use DBI placeholders ?
With other words: Have I to "untaint" $data1, $data2, $data3 ?
(Yes, I know, that bind variables/placeholders can be much faster)
Uli
--
'''
(0 0)
+------oOO----(_)--------------+
| |
| Ulrich Herbst |
| |
+-------------------oOO--------+
|__|__|
|| ||
ooO Ooo