[CDBI] Re: Using scalar functions with AbstractSearch

Edward J. Sabol sabol at alderaan.gsfc.nasa.gov
Thu Feb 2 05:16:52 GMT 2006


Rhesa wrote:
> I suppose it's my lack of experience with postgresql, but I find it a
> bit unsettling that placeholder values would be executed instead of
> used as plain strings. I would not have expected
>
> $sth->execute( " where end > ? and start < ? ", {}, qw/ now() now() / );
>
> to give the same resultset as
>
> $sth->execute( " where end > now() and start < now() ", {}, qw// );
>
> Is it just me, or does that look like a potential sql injection hole?

I'm with Rhesa on this one. None of the DBDs I've used allow this, and I
would not have expected DBD::Pg to either. It does seem dangerous.




More information about the ClassDBI mailing list