Brandon Black wrote: > On 12/5/06, Daniel McBrearty <[EMAIL PROTECTED]> wrote: > >> This is what I'm talking about. I don't know this technique - I >> thought the only approach was to filter input. I'm using DBIx, AFAIK >> it does use placeholders ... ? If so, I can just take input, do some >> basic "sanity" filtering, and store? > > Yes, DBIC does use placeholders in most situations. However, the > NoBindVars-based Storage classes do not. This includes the notable > example of MSSQL via DBD::Sybase, which uses NoBindVars to work around > issues with FreeTDS and/or DBD::Sybase. The only really good way to > fix this is to fix the DBD's or underlying DB libraries to properly > support bind variables in all cases.
If you can't use bind variables, can't you just use DBI's quote method to prevent SQL injection? $sql_safe = $dbh->quote($value); Cheers, Dave _______________________________________________ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/