Re: Trapping error for $dbh->do()

From: alexander@xxxxxxxx (Alexander Foken)
Date: Thu, 10 May 2007 09:29:17 +0200

Just three points:

* Pasting values into the SQL command requires careful quoting. Parameters do this automatically.
* Failing to quote correctly allows SQL injection, a common exploit for www tools, but this is also possible with command line and GUI tools. With parameters, the DBD::whatever takes care of quoting as a last resort, but usually, parameter values and command are transported separately to the database. So SQL injection is IMPOSSIBLE when using parameters. (Unless the DBD::whatever has a severe bug.)
* Pasting values into SQL command requires to parse the SQL for each set of values. Using a single prepare() and repeated execute()s requires to parse only once, the parser result can be recycled. This makes things faster. prepare_cached() accelerates further.

Alexander

Loo, Peter # PHX wrote:

Hi Alexander,

Thanks for your kind input. Completely understood except the sentence
starting with "NEVER, NEVER...". Will you kindly explain?

Thanks again.
Peter

-----Original Message-----
From: Alexander Foken [mailto:alexander@xxxxxxxx] Sent: Tuesday, May 08, 2007 2:11 PM
To: Loo, Peter # PHX
Cc: dbi-users@xxxxxxxx
Subject: Re: Trapping error for $dbh->do()

Quoting the DBI man page
<http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Database_Handle_Methods>:

do
$rows = $dbh->do($statement) or die $dbh->errstr;
$rows = $dbh->do($statement, \%attr) or die $dbh->errstr;
$rows = $dbh->do($statement, \%attr, @bind_values) or die ...

Prepare and execute a *SINGLE* statement.

If your DBD seems to support mutliple statements in a single $dbh->do(),
it does that by accident.

If you need "all or nothing", read about transactions: <http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Transactions>

If you just need to process several SQL commands, use a loop.
my @statements=(...);
foreach my $st (@statements) {
$dbh->do($st);
}

With transactions, you would wrap the entire loop and the final commit
inside an eval BLOCK, and call rollback if $@ is true after the eval.

NEVER, NEVER, NEVER put values inside the SQL statements, this begs for
trouble and usually performs suboptimal.

Hope that helps,
Alexander

Loo, Peter # PHX wrote:

Hi,
I am trying to execute multi SQL statements within the $dbh->do() and it appears to work fine except it does not give me an error when part of the SQL fails. For example:
BEGIN WORK;
CREATE TEMP TABLE p_temp AS
SELECT col1
, col2
, col3
>FROM table1
, table2
WHERE blah blah;
INSERT INTO some_destination_table
SELECT col1
, col2
, col3
, etc...
>FROM table1
, table2
, table3;
COMMIT;
The part that does the CREATE TEMP TABLE failed because one of the tables it is referencing does not exist, however, $dbh->do() did not return any error. I did in fact turned on the RaiseError in the connect statement.
unless($dbh = DBI->connect("dbi:$dbDriver:$dbName", $dbUser, $dbPass, { RaiseError => 1 })) {
$MESSAGE = "ERROR: Connection failed to $dbName for user $dbUser.";
print STDERR "$MESSAGE\n\n";
$STATUS = $FAILURE;
sub_exit();
}
I am also trying to trap $dbh->do() using "eval".
eval {
$dbh->do($sqlString);
};
if ($@) {
$MESSAGE = "ERROR: dbh->do($sqlString) failed. $@";
print STDERR "$MESSAGE\n\n";
$STATUS = $FAILURE;
sub_exit();
}
Hope someone can shed some light for me. The versions I am using are:
This is perl, v5.8.7 built for sun4-solaris
$ perl -M'DBD::ODBC' -le 'print $DBD::ODBC::VERSION'
1.13
Thanks.
Peter

--
Alexander Foken
mailto:alexander@xxxxxxxx http://www.foken.de/alexander/

This E-mail message is for the sole use of the intended recipient(s) and
may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not
the intended recipient, please contact the sender by reply E-mail, and
destroy all copies of the original message.

--
Alexander Foken
mailto:alexander@xxxxxxxx http://www.foken.de/alexander/

.

References:
- Trapping error for $dbh->do()
  - From: Peter # PHX Loo
- Re: Trapping error for $dbh->do()
  - From: Alexander Foken
- RE: Trapping error for $dbh->do()
  - From: Peter # PHX Loo

Prev by Date: Re: Error installing DBD::Sybase on Solaris
Next by Date: Re: debugging a DBI module
Previous by thread: Re: Trapping error for $dbh->do()
Next by thread: Clarification on DBI module
Index(es):
- Date
- Thread

Relevant Pages

RE: SBS2003 Standard - managing the SQL installation?
... information for how to use SQL command line for MSDE 2000: ... 325003 How To Manage the SQL Server Desktop Engine (MSDE 2000) by Using the ... This newsgroup only focuses on SBS technical issues. ...
(microsoft.public.windows.server.sbs)
Re: SQL Message
... its explanation is geared to people who know what SQL is and why ... Microsoft and can only surmise why their software displays this message, ... "Opening this document will run the following SQL command: ...
(microsoft.public.word.mailmerge.fields)
Re: Error while using parameterized batch code as Sql Command in SSIS
... batch logic instead of a single sql query, ... GroupName VarcharNOT NULL, TAT Int) ... use the "SQL command from ...
(microsoft.public.sqlserver.dts)
Im having trouble with SQL
... SELECT statement to the SQL command, ... Even after inserting the data, some of it might go missing. ... but since my current Delphi 5 doesn't ...
(comp.lang.pascal.delphi.misc)
Re: sql injection - missed it at bh/defcon + follow on query.
... sql injection - missed it at bh/defcon + follow on query. ... >I got thro' a login by putting ... >This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)