[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WTF
- Subject: Re: WTF
- From: Tony Fraser <..hidden..>
- Date: Mon, 02 Oct 2006 00:32:37 -0700
On Sun, 2006-10-01 at 19:20 -0700, Joshua D. Drake wrote:
> Tony Fraser wrote:
> > Is anyone even minimally testing what gets committed on the SVN head?
> >
> > I checked it out to see what was going on and I can't believe what's
> > gotten checked in. I know SQL Ledger is full of SQL Injection
> > vulnerabilities but what is this:
> >
> > $form->{creditremaining} = $form->{creditlimit};
> > $query = qq|
> > SELECT SUM(amount - paid)
> > FROM $arap
> > WHERE ? = ?|;
> >
> > $sth = $dbh->prepare($query);
> > $sth->execute("$form->{vc}_id", $form->{"$form->{vc}_id"})
> > || $form->dberror($query);
> >
> > ????
> >
> > There's no way that will ever work, it's not the way to fix the SQL
> > Injections.
>
> I didn't write the code, however -- your tone it just a tad harsh. You
> are going to get much better results with helping provide a solution
> then lambasting people because of work done in -HEAD.
>
> Secondly, I am sure that -HEAD would have been reviewed "before" we
> released.
Oh, I'm sure it will and I wasn't expecting to see perfect code. I knew
what I was doing when I checked out -HEAD. I had no misconceptions about
the (lack of) production readiness of -HEAD code.
> > DBI placeholders can _not_ be used as identifiers, from DBI(3)
> > "placeholders can't be used for any element of a statement that would
> > prevent the database server from validating the statement and creating a
> > query execution plan for it".
>
> Do you have a sample set of code that would work better?
Well, at least this will execute without errors:
$form->{vc} =~ s/"/""/g;
$query = qq|
SELECT SUM(amount - paid)
FROM $arap
WHERE "$form->{vc}_id" = ?|;
$sth = $dbh->prepare($query);
$sth->execute($form->{"$form->{vc}_id"})
|| $form->dberror($query);
($form->{creditremaining}) -= $sth->fetchrow_array;
--
Tony Fraser
..hidden..
Sybaspace Internet Solutions System Administrator
phone: (250) 246-5368 fax: (250) 246-5398