Re: Sql injection attacks
От | Lincoln Yeoh |
---|---|
Тема | Re: Sql injection attacks |
Дата | |
Msg-id | 5.2.1.1.1.20040729045139.02b49448@localhost обсуждение исходный текст |
Ответ на | Re: Sql injection attacks (Harald Fuchs <hf0722x@protecting.net>) |
Список | pgsql-general |
At 05:30 PM 7/28/2004 +0200, Harald Fuchs wrote: >Even if $input contains '%' or '_', those characters get properly escaped. What versions are you using? The versions I'm using are a bit old. DBD::Pg 1.22 (3 versions old) Postgresql 7.3.4 Schema+data: create table test3 (a integer, b text); insert into test3 (a,b) values (1,'a'); insert into test3 (a,b) values (2,'b'); insert into test3 (a,b) values (3,'c'); insert into test3 (a,b) values (4,'d'); code: #!/usr/bin/perl -wT use strict; use DBI(); my ($DBNAME,$DBUSER,$DBPASS)=('DB','user','pass'); my $dbh = DBI->connect('DBI:Pg(AutoCommit => 0):dbname='.$DBNAME,$DBUSER,$DBPASS ); dbdo("update test3 set a=1-? where a=4","error testing",-1); $dbh->commit; $dbh->disconnect(); exit 0; sub dbdo { my $SQL=shift||''; # dolog('DEBUG',$SQL); my $errmsg=shift||'Unable to run database query!'; my $sth=$dbh->prepare($SQL) or die($errmsg.'|'.$DBI::errstr); # dolog('DEBUG','prepared'); my $rv=''; $rv=$sth->execute(@_) or die($errmsg.'|'.$DBI::errstr); # dolog('DEBUG','executed'); return ($sth,$rv); }
В списке pgsql-general по дате отправления: