---- Perl security: how to scrub/handle input data?
phranque - 10:19 am on Nov 4, 2010 (gmt 0)
it doesn't sound like you need this in your case, but if you are using any input data in a SQL statement you will need to escape any special characters to transform the input into a legal string and to avoid SQL injection. for example, if you were using a MySQL database, you would need to escape any backslashes and (single & double) quotes as described below.
When writing application programs, any string that might contain any of these special characters must be properly escaped before the string is used as a data value in an SQL statement that is sent to the MySQL server. You can do this in two ways: * Process the string with a function that escapes the special characters. In a C program, you can use the mysql_real_escape_string() C API function to escape characters. See Section 22.214.171.124, "mysql_real_escape_string()" [dev.mysql.com]. The Perl DBI interface provides a quote method to convert special characters to the proper escape sequences. See Section 20.10, "MySQL Perl API" [dev.mysql.com]. Other language interfaces may provide a similar capability. * As an alternative to explicitly escaping special characters, many MySQL APIs provide a placeholder capability that enables you to insert special markers into a statement string, and then bind data values to them when you issue the statement. In this case, the API takes care of escaping special characters in the values for you.
[edited by: phranque at 2:03 pm (utc) on Nov 4, 2010]