| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Rob Sargent <robjsargent(at)gmail(dot)com> |
| Cc: | stan <stanb(at)panix(dot)com>, "pgsql-generallists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: plperl syntax question |
| Date: | 2020-03-13 03:10:52 |
| Message-ID: | CAKFQuwabpY3g9gehx1=-bW+Ot6m1vMsETXZQLXWZv7jD=zZvcA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thursday, March 12, 2020, Rob Sargent <robjsargent(at)gmail(dot)com> wrote:
>
> The example I saw for qq on the perl site
>
> print(qq(Welcome to GeeksForGeeks));
>
> doesn’t have any quotes in arg to qq
>
Correct. It also says:
qq() operator in Perl <https://www.geeksforgeeks.org/introduction-to-perl/> can
be used in place of double quotes. It uses a set of parentheses to surround
the string.
Try making the sql string without using qq
> my $select = “select....’” + $user + “‘;”;
> (or perhaps perl has a formatted string function like printf)
>
This is worse than using correctly.
The OP should (I think) be using a parameterized query instead of brute
force string manipulation since this code is a prone to exploit.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Deepti Sharma S | 2020-03-13 03:55:59 | RE: PostgreSQL10.x client Vs. PostgreSQL 11.x server |
| Previous Message | David G. Johnston | 2020-03-13 03:06:17 | Re: plperl syntax question |