Re: Calling a PostgreSQL function via DBI

---

• From: alexander@xxxxxxxx (Alexander Foken)
• Date: Wed, 22 Feb 2006 15:44:18 +0100

---

You should not interpolate variables into the SQL statement, especially not when you work in a CGI environment (or similar). You are begging for big trouble. Learn what SQL injection means, and avoid it like hell.

Use:
use $dbh->prepare('SELECT neues_suchprofil (?::numeric,?::text)'); # single quotes -> no interpolation, placeholders instead of interpolation
$dbh->execute($cookieValue,$suchprofil_name); # replacing placeholders in the database.

Alexander

Christian Stalp wrote:

Thank you Greg, I allready solf it. First I changed the code this way:
my $arg1 = $cookieValue . "::numeric";
my $arg2 = $suchprofil_name . "::text";

$result = $dbh->prepare ( "SELECT neues_suchprofil ( $arg1, '$arg2' ) " ) or
die "Vorbereitung nicht durchfuehrbar!\n";
$result->execute() or die "Abfrage nicht ausfuehrbar -suchprofil!
$DBI::errstr\n";
$result->finish();

And then I grand some priviliges on the user, which access the DBI. Now it
works :-)

Gruss Christian

--
Alexander Foken
mailto:alexander@xxxxxxxx http://www.foken.de/alexander/

.

---

• References:
  • Re: Calling a PostgreSQL function via DBI
    • From: Greg Sabino Mullane
  • Re: Calling a PostgreSQL function via DBI
    • From: Christian Stalp

• Prev by Date: Re: Calling a PostgreSQL function via DBI
• Next by Date: Re: How to Populate Drop-down list Dynamically.
• Previous by thread: Re: Calling a PostgreSQL function via DBI
• Next by thread: Re: Calling a PostgreSQL function via DBI
• Index(es):
  • Date
  • Thread

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)