Subject: | Possible SQL injection attack |
sub remove {
my $self = shift;
my ($sid) = @_;
croak "remove(): usage error" unless $sid;
my $dbh = $self->{Handle};
my $sql = sprintf("DELETE FROM %s WHERE id='%s'", $self->table_name,
$sid);
unless ( $dbh->do($sql) ) {
croak "remove(): \$dbh->do failed!";
}
return 1;
}
woudl be better done with place holders or $dbh->quote (and maybe the
return value could be more more meaningful and safe)
sub remove {
my $self = shift;
my ($sid) = @_;
croak "remove(): usage error" unless $sid;
my $sql = sprintf(");
my $rc = $self->{Handle}->do(
'DELETE FROM'
. $self->{Handle}->quote($self->table_name)
. ' WHERE id='
. $self->{Handle}->quote($sid)
);
# do(DELETE) usually returns 0 even thouh it worked do or croak()
could cause problems...
croak "remove(): \$dbh->do failed!" if $rc eq '0E0';
# maybe not croak and return ??
return $rc eq 'E0E' ? 0 : 1;
}