[Omaha.pm] Database -> XML

Jay Hannah jay at jays.net
Fri Apr 20 14:15:58 PDT 2007


On Apr 16, 2007, at 1:20 AM, George Neill wrote:
> Does Omni::DB take care of cleansing $prop from injections and such?

No, it doesn't. But that's an excellent concern to raise.

$prop (aka property aka hotel) is just hard-coded in my program source 
code for now. Later it will be in a loop controlled by the database 
(our "hotels" table has one row per hotel and prop is a key).

If I was ever going to accept $prop as input from the outside I'd (1) 
sanitize it with a regex, (2) make sure it was in a DBI placeholder, 
not just running loose in an SQL string, and (3) use Perl's taint mode.

... err: confession: I never use Perl's taint mode. But at least I'm 
aware that I probably should. Does that count?  :)

> I think your code below is simple enough and would be easy to maintain
> for a handful of tables.

Ya. I like it. Obviously it gets uglier as the table joins get uglier 
and/or the mapping needs to be nested/regrouped/etc, but I think the 
final result is as pretty as its going to be in any language.  :)

j



More information about the Omaha-pm mailing list