[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WTF

Subject: Re: WTF
From: "Joshua D. Drake" <..hidden..>
Date: Sun, 01 Oct 2006 19:20:27 -0700

Tony Fraser wrote:
> Is anyone even minimally testing what gets committed on the SVN head?
> 
> I checked it out to see what was going on and I can't believe what's
> gotten checked in. I know SQL Ledger is full of SQL Injection
> vulnerabilities but what is this:
> 
> 	$form->{creditremaining} = $form->{creditlimit};
> 	$query = qq|
> 		SELECT SUM(amount - paid)
> 		  FROM $arap
> 		 WHERE ? = ?|;
> 
> 	$sth = $dbh->prepare($query);
> 	$sth->execute("$form->{vc}_id", $form->{"$form->{vc}_id"})
> 		|| $form->dberror($query);
> 
> ????
> 
> There's no way that will ever work, it's not the way to fix the SQL
> Injections. 

I didn't write the code, however -- your tone it just a tad harsh. You
are going to get much better results with helping provide a solution
then lambasting people because of work done in -HEAD.

Secondly, I am sure that -HEAD would have been reviewed "before" we
released.

> 
> DBI placeholders can _not_ be used as identifiers, from DBI(3)
> "placeholders can't be used for any element of a statement that would
> prevent the database server from validating the statement and creating a
> query execution plan for it".
> 

Do you have a sample set of code that would work better?

Sincerely,

Joshua D. Drake


-- 

   === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
   Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/

Follow-Ups:
- Re: WTF
  - From: Chris Travers
- Re: WTF
  - From: Tony Fraser

References:
- WTF
  - From: Tony Fraser

Prev by Date: WTF
Next by Date: Re: WTF
Previous by thread: WTF
Next by thread: Re: WTF
Index(es):
- Date
- Thread