[CDBI] Using scalar functions with AbstractSearch

Rhesa Rozendaal perl at rhesa.com
Thu Feb 2 04:54:24 GMT 2006


Bill Moseley wrote:
> On Thu, Feb 02, 2006 at 02:41:57AM +0100, Rhesa Rozendaal wrote:
> 

>> WHERE ( end >= 'now()' AND foo = 'bar' AND start < 'now()' )
>>
>>which is different from
>>
>> WHERE ( end >= now() AND foo = 'bar' AND start < now() )

> You must be smoking different cigars:
> 
> (or using a different DBD)

Why, yes, I was trying this with mysql.

[snip example with Pg]

I suppose it's my lack of experience with postgresql, but I find it a bit 
unsettling that placeholder values would be executed instead of used as plain 
strings. I would not have expected

$sth->execute( " where end > ? and start < ? ", {}, qw/ now() now() / );

to give the same resultset as

$sth->execute( " where end > now() and start < now() ", {}, qw// );

Is it just me, or does that look like a potential sql injection hole?

Rhesa




More information about the ClassDBI mailing list