[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WTF



On Sun, 2006-10-01 at 19:20 -0700, Joshua D. Drake wrote:
> Tony Fraser wrote:
> > Is anyone even minimally testing what gets committed on the SVN head?
> > 
> > I checked it out to see what was going on and I can't believe what's
> > gotten checked in. I know SQL Ledger is full of SQL Injection
> > vulnerabilities but what is this:
> > 
> > 	$form->{creditremaining} = $form->{creditlimit};
> > 	$query = qq|
> > 		SELECT SUM(amount - paid)
> > 		  FROM $arap
> > 		 WHERE ? = ?|;
> > 
> > 	$sth = $dbh->prepare($query);
> > 	$sth->execute("$form->{vc}_id", $form->{"$form->{vc}_id"})
> > 		|| $form->dberror($query);
> > 
> > ????
> > 
> > There's no way that will ever work, it's not the way to fix the SQL
> > Injections. 
> 
> I didn't write the code, however -- your tone it just a tad harsh. You
> are going to get much better results with helping provide a solution
> then lambasting people because of work done in -HEAD.
> 
> Secondly, I am sure that -HEAD would have been reviewed "before" we
> released.

Oh, I'm sure it will and I wasn't expecting to see perfect code. I knew
what I was doing when I checked out -HEAD. I had no misconceptions about
the (lack of) production readiness of -HEAD code.

> > DBI placeholders can _not_ be used as identifiers, from DBI(3)
> > "placeholders can't be used for any element of a statement that would
> > prevent the database server from validating the statement and creating a
> > query execution plan for it".
> 
> Do you have a sample set of code that would work better?

Well, at least this will execute without errors:

	$form->{vc} =~ s/"/""/g;
	$query = qq|
		SELECT SUM(amount - paid)
		  FROM $arap
		 WHERE "$form->{vc}_id" = ?|;

	$sth = $dbh->prepare($query);
	$sth->execute($form->{"$form->{vc}_id"})
		|| $form->dberror($query);

	($form->{creditremaining}) -= $sth->fetchrow_array;

-- 
Tony Fraser
..hidden..
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398