[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WTF

Subject: WTF
From: Tony Fraser <..hidden..>
Date: Sun, 01 Oct 2006 19:03:13 -0700

Is anyone even minimally testing what gets committed on the SVN head?

I checked it out to see what was going on and I can't believe what's
gotten checked in. I know SQL Ledger is full of SQL Injection
vulnerabilities but what is this:

	$form->{creditremaining} = $form->{creditlimit};
	$query = qq|
		SELECT SUM(amount - paid)
		  FROM $arap
		 WHERE ? = ?|;

	$sth = $dbh->prepare($query);
	$sth->execute("$form->{vc}_id", $form->{"$form->{vc}_id"})
		|| $form->dberror($query);

????

There's no way that will ever work, it's not the way to fix the SQL
Injections. 

DBI placeholders can _not_ be used as identifiers, from DBI(3)
"placeholders can't be used for any element of a statement that would
prevent the database server from validating the statement and creating a
query execution plan for it".

-- 
Tony Fraser
..hidden..
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398

Follow-Ups:
- Re: WTF
  - From: Joshua D. Drake

Prev by Date: Re: Community Documentation Architecture, was LaTeX templates, was Docmentation/FAQs
Next by Date: Re: WTF
Previous by thread: Attaching documents to invoices/orders/quotes
Next by thread: Re: WTF
Index(es):
- Date
- Thread