[Mimedefang] Re: sql integration of quarentine and others

Jeff Rife mimedefang at nabs.net
Wed Apr 4 09:27:18 EDT 2007


On 4 Apr 2007 at 9:21, Danny Kjærgaard wrote:

> And there would be no need for qouteing the msg or outcomment nasty 
> chars that would break the perl code ?

Any "nasty characters" are never seen by the perl interpreter in the 
code example I gave.

> #################################################
> open(IN, "<./INPUTMSG");
> my $msg = join("\n", <IN>);
> close(IN);
> 
> $dbh->do(qq{
> INSERT INTO mail (ip_address, mail_message)
> VALUES ($RelayAddr, $msg)
> });
> #################################################

The variable expansion inside a double quote is done at runtime.

If you truly worry about SQL injection from the contents of a full e-
mail message (which is highly unlikely), just use prepared statements:

#################################################
$sth = $dbh->prepare(qq{
INSERT INTO mail (ip_address, mail_message)
VALUES (?, ?)
});

$sth->execute($RelayAddr, $msg);
#################################################


--
Jeff Rife |  
          | http://www.nabs.net/Cartoons/FoxTrot/TransporterError.jpg 





More information about the MIMEDefang mailing list