Front page | perl.dbi.users |
Postings from February 2001
Stephen Clouse writes: > > You should be using placeholders either way, if only to spare yourself from the > pain of proper quoting when interpolating variables into SQL statements, and in > the case of CGI and other similar programs, to spare yourself from SQL variable > interpolation attacks. While I agree with this in general, it should be pointed out that for Sybase (and possibly MS-SQL) servers the prepare with placeholder involves some additional overhead over a straight SQL request (both in terms of processing time and of resources on the server). It is therefore usually preferable, when using a Sybase back-end, to avoid ?-style placeholders for requests that are only going to be called once. For Sybase and MS-SQL servers you can use stored procedures (that's what SQL statements with ?-placeholders resolve to anyway) to avoid SQL parsing and query plan optimization on each request. With Sybase::CTlib you can call stored procs as RPC calls instead of SQL language calls thus avoiding the SQL parsing altogether as well as any interpolation attacks. I'm considering adding this capability to DBD::Sybase, possibly as a $dbh->func() call. Michael -- Michael Peppler - Data Migrations Inc. - mpeppler@peppler.org http://www.mbay.net/~mpeppler - mpeppler@mbay.net International Sybase User Group - http://www.isug.com Sybase on Linux mailing list: ase-linux-list@isug.comThread Previous