On Tue, Feb 3, 2009 at 5:47 AM, Deviloper <devilo...@slived.net> wrote:
>
> But some bad guy could showed up and force the poor developer not to use
> perl-vars in SQL-Statements for security reasons.
>
> Is ist possible to use tablenames like normal bind-variables?
> Is there a better way to solve this problem?
Using perl vars is ok as long as you untaint them (you are using
taint checking in programs that use untrusted user input, right?).
This can be as easy as:
unless ( $table =~ /^(\w+)$/ ) {
die "Bad table: $table";
}
$table = $1;
If only "trusted" users are using the program (e.g. in non-suid
command line utilities), then I don't worry so much about pasting
variables into SQL.
