[CDBI] Re: Using scalar functions with AbstractSearch

[prev] [thread] [next] [Date index for 2006/02/02]

From: Edward J. Sabol
Subject: [CDBI] Re: Using scalar functions with AbstractSearch
Date: 05:16 on 02 Feb 2006
Rhesa wrote:
> I suppose it's my lack of experience with postgresql, but I find it a
> bit unsettling that placeholder values would be executed instead of
> used as plain strings. I would not have expected
>
> $sth->execute( " where end > ? and start < ? ", {}, qw/ now() now() / );
>
> to give the same resultset as
>
> $sth->execute( " where end > now() and start < now() ", {}, qw// );
>
> Is it just me, or does that look like a potential sql injection hole?

I'm with Rhesa on this one. None of the DBDs I've used allow this, and I
would not have expected DBD::Pg to either. It does seem dangerous.

_______________________________________________
ClassDBI mailing list
ClassDBI@xxxxx.xxxxxxxxxxxxxxxx.xxx
http://lists.digitalcraftsmen.net/mailman/listinfo/classdbi

(message missing)

[CDBI] Using scalar functions with AbstractSearch
Dylan Vanderhoof 23:37 on 01 Feb 2006

Re: [CDBI] Using scalar functions with AbstractSearch
Rhesa Rozendaal 23:50 on 01 Feb 2006

Re: [CDBI] Using scalar functions with AbstractSearch
Rhesa Rozendaal 00:07 on 02 Feb 2006

Re: [CDBI] Using scalar functions with AbstractSearch
Rhesa Rozendaal 01:41 on 02 Feb 2006

Re: [CDBI] Using scalar functions with AbstractSearch
Rhesa Rozendaal 04:54 on 02 Feb 2006

[CDBI] Re: Using scalar functions with AbstractSearch
Edward J. Sabol 05:16 on 02 Feb 2006

Re: [CDBI] Using scalar functions with AbstractSearch
Tatsuhiko Miyagawa 05:33 on 02 Feb 2006

RE: [CDBI] Using scalar functions with AbstractSearch
Dylan Vanderhoof 05:29 on 02 Feb 2006

Generated at 17:59 on 03 Feb 2006 by mariachi v0.52