Issue with SQL statements in an array with variables

guillaumeaubert / Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection

PerlCritic policy that attempts to detect the most common sources of SQL injection in manually crafted SQL statements, by detecting the use of variables inside interpolated strings that look like SQL statements.

https://metacpan.org/pod/Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection

Other

6 stars 8 forks source link

Issue with SQL statements in an array with variables #5

Closed guillaumeaubert closed 10 years ago

guillaumeaubert commented 10 years ago

This example:

my ( $value ) = $dbh->selectrow_array( 'SELECT function(?)', undef, $input );

Fails with:

SQL injection risk at line NN column NN.  Variables in interpolated SQL string are susceptible to SQL injection: $input.  (Severity: 5, ValuesAndExpressions::PreventSQLInjection)

guillaumeaubert commented 10 years ago

Fix released as part of v1.1.2, closing.