如何使用Perl的DBI防止SQL注入攻击?
在将输入数据放入MySQL数据库之前,我可以在Perl中使用该功能来清理输入吗?我对正则表达式不太了解,因此在执行自己的功能之前,我想知道是否已经有一个正则表达式.
Is there a function i can use in Perl to sanitize input before putting it into a MySQL db? I don't know regex very well so before I make my own function i was wondering if there was already one made.
The proper way to sanitize data for insertion into your database is to use placeholders for all variables to be inserted into your SQL strings. In other words, NEVER do this:
my $sql = "INSERT INTO foo (bar, baz) VALUES ( $bar, $baz )";
相反,请使用?占位符:
my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )";
然后在执行查询时传递要替换的变量:
And then pass the variables to be replaced when you execute the query:
my $sth = $dbh->prepare( $sql );
$sth->execute( $bar, $baz );
您可以将这些操作与某些DBI便捷方法结合起来;上面也可以这样写:
You can combine these operations with some of the DBI convenience methods; the above can also be written:
$dbh->do( $sql, undef, $bar, $baz );
有关详细信息,请参见 DBI文档.
See the DBI docs for more information.