Home/ Questions/Q 8675429
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T19:56:48+00:00

The problem I am having is that I have a user input a string…

  • 0

The problem I am having is that I have a user input a string… Could be anything less than 156 characters, and the DBI statement inserts the string perfectly if there are no apostrophes or quotation marks in the string.

This works fine-> I am working!
This doesn’t work-> I’m not working!

To insert I use the following code:

    $sth = $dbh->prepare("INSERT INTO table VALUES('$var1','$var2','$var3')");
    $sth->execute();

I know that Perl interpolates the strings different with ‘ ‘ and ” ” but my program throws a fit when I try that. I’ve also tried using a join to join that prepare statement together using ” ” marks. The variable that stores the 155 characters is $var3 if that matters, and all 3 are VARCHAR attributes. Any suggestions?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to escape your variables.

    It is exactly this oversight that hackers exploit to perform SQL injection attacks: read the story of poor little Bobby Tables. Indeed, you really should avoid ever evaluating your variables for SQL, by parameterising your prepared statement:

    $sth = $dbh->prepare('INSERT INTO table VALUES(?, ?, ?)');
$sth->execute($var1, $var2, $var3);
    • 0