On Tue, 3 Feb 2009 10:06:48 -0800, Douglas Wilson
<douglasg.wil...@gmail.com> wrote:
> On Tue, Feb 3, 2009 at 5:47 AM, Deviloper <devilo...@slived.net> wrote:
>>
>> But some bad guy could showed up and force the poor developer not to use
> perl-vars in SQL-Statements for security reasons.
>>
>> Is ist possible to use tablenames like normal bind-variables?
>> Is there a better way to solve this problem?
>
> Using perl vars is ok as long as you untaint them (you are using
> taint checking in programs that use untrusted user input, right?).
>
> This can be as easy as:
>
> unless ( $table =~ /^(\w+)$/ ) {
> die "Bad table: $table";
> }
> $table = $1;
>
my $qtable = $dbh->quote_identifier($table);
-r
