Re: Sql injection attacks

     Harald Fuchs writes

> Perhaps you mean something like the following:
>
>   my $sth = $dbh->prepare (q{
>     SELECT whatever
>     FROM mytable
>     WHERE somecol LIKE ? || '%'
>   });
>   $sth->execute ($input);
>
> Even if $input contains '%' or '_', those characters get properly escaped.

Hum, what makes you think that? if $input is "_foo%", then the DBD
driver will produce this query:
SELECT whatever FROM mytable WHERE somecol like  '_foo%'||'%'
The % and _ characters aren't escaped at all.

That can be confirmed by setting $dbh->trace_level to something greater or equal
than 2 and looking at the Pg DBD driver's output.

--
 Daniel
 PostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org