如何使用 Perl 的 DBI 防止 SQL 注入攻击?

2021-12-10 00:00:00 perl mysql input-sanitization

在将输入放入 MySQL 数据库之前,我可以在 Perl 中使用它来清理输入吗?我不太了解正则表达式,所以在我制作自己的函数之前,我想知道是否已经制作了一个.

Is there a function i can use in Perl to sanitize input before putting it into a MySQL db? I don't know regex very well so before I make my own function i was wondering if there was already one made.

推荐答案

清理数据以插入数据库的正确方法是使用 占位符 用于将所有变量插入到您的 SQL 字符串中.换句话说,永远不要这样做:

The proper way to sanitize data for insertion into your database is to use placeholders for all variables to be inserted into your SQL strings. In other words, NEVER do this:

my $sql = "INSERT INTO foo (bar, baz) VALUES ( $bar, $baz )";

相反,使用 ? 占位符:

Instead, use ? placeholders:

my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? )";

然后在执行查询时传递要替换的变量:

And then pass the variables to be replaced when you execute the query:

my $sth = $dbh->prepare( $sql );
$sth->execute( $bar, $baz );

您可以将这些操作与一些 DBI 便利方法结合起来;上面也可以写成:

You can combine these operations with some of the DBI convenience methods; the above can also be written:

$dbh->do( $sql, undef, $bar, $baz );

有关详细信息,请参阅 DBI 文档.

See the DBI docs for more information.

相关文章