Re: Extending Class::DBI's search abilities

[prev] [thread] [next] [Date index for 2004/07/26]

On Mon, Jul 26, 2004 at 09:58:23AM +0100, Jack Challen wrote:
> BTW, it looks to me like the order_by value could be vulnerable to an 
> SQL-injection attack.

Don't pass user data straight through to search without checking it
first ...

> Anyway, where does the sql_Retrieve method get defined? I've grep'd my 
> tree of installed Perl modules, and I can't see it anywhere.
> I'm not quite sure what it does, and therefore whether I need to use it.

It's near the top of Class::DBI:

__PACKAGE__->set_sql(Retrieve => <<'');
SELECT __ESSENTIAL__
FROM   __TABLE__
WHERE  %s

Tony