[Mimedefang] Re: sql integration of quarentine and others
Jeff Rife
mimedefang at nabs.net
Wed Apr 4 09:27:18 EDT 2007
On 4 Apr 2007 at 9:21, Danny Kjærgaard wrote:
> And there would be no need for qouteing the msg or outcomment nasty
> chars that would break the perl code ?
Any "nasty characters" are never seen by the perl interpreter in the
code example I gave.
> #################################################
> open(IN, "<./INPUTMSG");
> my $msg = join("\n", <IN>);
> close(IN);
>
> $dbh->do(qq{
> INSERT INTO mail (ip_address, mail_message)
> VALUES ($RelayAddr, $msg)
> });
> #################################################
The variable expansion inside a double quote is done at runtime.
If you truly worry about SQL injection from the contents of a full e-
mail message (which is highly unlikely), just use prepared statements:
#################################################
$sth = $dbh->prepare(qq{
INSERT INTO mail (ip_address, mail_message)
VALUES (?, ?)
});
$sth->execute($RelayAddr, $msg);
#################################################
--
Jeff Rife |
| http://www.nabs.net/Cartoons/FoxTrot/TransporterError.jpg
More information about the MIMEDefang
mailing list