如何将值绑定到mysql perl中 [英] how to bind values INSERT INTO mysql perl

问题描述

我有下面的代码可以工作，但是为了安全起见，我需要知道如何绑定它们.如果我只是将$ new_row替换为?并把它执行，我得到一个错误.感谢您的帮助.

I've got the code below that works but I need to know how to bind them for security. If I just replace $new_row with ? and put it in execute I get an error. Thanks for your help.

foreach my $field (@account_field_order) {
$new_row .= "'" . param($field) . "', ";
}#foreach
$new_row .= "'$status'";
my $dsn = "DBI:mysql:$database";
my $dbh = DBI->connect($dsn, $MYSQLuserid, $MYSQLpassword ) 
          or die $DBI::errstr;
my $sth = $dbh->prepare(qq(INSERT INTO $table VALUES ($new_row) )) or die $DBI::errstr;
$sth->execute() or die $DBI::errstr;

推荐答案

您将要使用占位符，并且从不在字符串中插入变量.在使用之前，您可能应该使用污染模式并取消污染param值如果安全对您来说很重要. 此处.

You will want to use placeholders, and never interpolate variables in strings. You should probably use taint mode and de-taint your param values before using them, if safety is important to you. Documentation on placeholders here.

尝试类似的东西:

my @values = map param($_), @account_field_order; # add values to array
push @values, $status;                  # for simplicity
$new_row = join ", ", ("?") x @values;  # add ? for each value

... # basically same code as before, except the execute statement:

$sth->execute(@values);      # arguments given will be inserted at placeholders

这篇关于如何将值绑定到mysql perl中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！