[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WTF

Subject: Re: WTF
From: "Chris Travers" <..hidden..>
Date: Mon, 2 Oct 2006 10:21:47 -0700

Actually, $form->{vc} should be whitelisted.  I will check this and if
necessary add the code.

If $form->{vc} is whitelisted, then "$form->{vc}_id" is also safe.

I think it is dangerous to do anything *other* than whitelisting
$form->{vc} because that might allow more subtle SQL injection
possibilities than DBI's native facilities can handle (not so much in
this query but in others).

On 10/2/06, Tony Fraser <..hidden..> wrote:

On Mon, 2006-10-02 at 00:32 -0700, Tony Fraser wrote:
> Well, at least this will execute without errors:
>
>       $form->{vc} =~ s/"/""/g;
>       $query = qq|
>               SELECT SUM(amount - paid)
>                 FROM $arap
>                WHERE "$form->{vc}_id" = ?|;
>
>       $sth = $dbh->prepare($query);
>       $sth->execute($form->{"$form->{vc}_id"})
>               || $form->dberror($query);
>
>       ($form->{creditremaining}) -= $sth->fetchrow_array;

There's a subtle bug in the code above (re-quotes $form->{vc} every
run). This works better:

        my $vc_id = $dbh->quote_identifier("$form->{vc}_id");

        $form->{creditremaining} = $form->{creditlimit};
        $query = qq|
                SELECT SUM(amount - paid)
                  FROM $arap
                 WHERE $vc_id = ?|;

        $sth = $dbh->prepare($query);
        $sth->execute($form->{"$form->{vc}_id"})
                || $form->dberror($query);

DBI->quote_identifier(...) was added in DBI 1.21, released Feb 2002.
That doesn't seem like and unreasonable prerequisite to me. What does
the list think?

--
Tony Fraser
..hidden..
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Ledger-smb-devel mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel

Follow-Ups:
- Re: WTF
  - From: Tony Fraser

References:
- WTF
  - From: Tony Fraser
- Re: WTF
  - From: Joshua D. Drake
- Re: WTF
  - From: Tony Fraser
- Re: WTF
  - From: Tony Fraser

Prev by Date: Re: WTF
Next by Date: Re: WTF
Previous by thread: Re: WTF
Next by thread: Re: WTF
Index(es):
- Date
- Thread