[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Tony Fraser wrote:
> Is anyone even minimally testing what gets committed on the SVN head?
> I checked it out to see what was going on and I can't believe what's
> gotten checked in. I know SQL Ledger is full of SQL Injection
> vulnerabilities but what is this:
> 	$form->{creditremaining} = $form->{creditlimit};
> 	$query = qq|
> 		SELECT SUM(amount - paid)
> 		  FROM $arap
> 		 WHERE ? = ?|;
> 	$sth = $dbh->prepare($query);
> 	$sth->execute("$form->{vc}_id", $form->{"$form->{vc}_id"})
> 		|| $form->dberror($query);
> ????
> There's no way that will ever work, it's not the way to fix the SQL
> Injections. 

I didn't write the code, however -- your tone it just a tad harsh. You
are going to get much better results with helping provide a solution
then lambasting people because of work done in -HEAD.

Secondly, I am sure that -HEAD would have been reviewed "before" we

> DBI placeholders can _not_ be used as identifiers, from DBI(3)
> "placeholders can't be used for any element of a statement that would
> prevent the database server from validating the statement and creating a
> query execution plan for it".

Do you have a sample set of code that would work better?


Joshua D. Drake


   === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
   Providing the most comprehensive  PostgreSQL solutions since 1997