[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WTF

Subject: Re: WTF
From: "Chris Travers" <..hidden..>
Date: Sun, 1 Oct 2006 21:13:44 -0700

FYI, there were some broken queries, but not that one....  Yes, it is
braindead notation, but that is not mine but Dieter's.

$form->{vc} is either customer or vendor (and I try to sanitize this
value).  Therefore the second value either $form->{customer_id} or
$form->{vendor_id}.  The variables were just copied from the original
query.

On 10/1/06, Joshua D. Drake <..hidden..> wrote:

Tony Fraser wrote:
> Is anyone even minimally testing what gets committed on the SVN head?
>
> I checked it out to see what was going on and I can't believe what's
> gotten checked in. I know SQL Ledger is full of SQL Injection
> vulnerabilities but what is this:
>
>       $form->{creditremaining} = $form->{creditlimit};
>       $query = qq|
>               SELECT SUM(amount - paid)
>                 FROM $arap
>                WHERE ? = ?|;
>
>       $sth = $dbh->prepare($query);
>       $sth->execute("$form->{vc}_id", $form->{"$form->{vc}_id"})
>               || $form->dberror($query);
>
> ????
>
> There's no way that will ever work, it's not the way to fix the SQL
> Injections.

I didn't write the code, however -- your tone it just a tad harsh. You
are going to get much better results with helping provide a solution
then lambasting people because of work done in -HEAD.

Secondly, I am sure that -HEAD would have been reviewed "before" we
released.

>
> DBI placeholders can _not_ be used as identifiers, from DBI(3)
> "placeholders can't be used for any element of a statement that would
> prevent the database server from validating the statement and creating a
> query execution plan for it".
>

Do you have a sample set of code that would work better?

Sincerely,

Joshua D. Drake


--

   === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
   Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Ledger-smb-devel mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel

References:
- WTF
  - From: Tony Fraser
- Re: WTF
  - From: Joshua D. Drake

Prev by Date: Re: WTF
Next by Date: Re: WTF
Previous by thread: Re: WTF
Next by thread: Is anyone working on a test suite?
Index(es):
- Date
- Thread