[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WTF

Subject: Re: WTF
From: "Chris Travers" <..hidden..>
Date: Mon, 2 Oct 2006 08:02:31 -0700

Interesting.  THe query executed fine when I tried it.  Just in case
there are problems with different versions I will fix it.

Thanks,
Chris Travers

I will rewrite this

On 10/2/06, Tony Fraser <..hidden..> wrote:

On Sun, 2006-10-01 at 19:20 -0700, Joshua D. Drake wrote:
> Tony Fraser wrote:
> > Is anyone even minimally testing what gets committed on the SVN head?
> >
> > I checked it out to see what was going on and I can't believe what's
> > gotten checked in. I know SQL Ledger is full of SQL Injection
> > vulnerabilities but what is this:
> >
> >     $form->{creditremaining} = $form->{creditlimit};
> >     $query = qq|
> >             SELECT SUM(amount - paid)
> >               FROM $arap
> >              WHERE ? = ?|;
> >
> >     $sth = $dbh->prepare($query);
> >     $sth->execute("$form->{vc}_id", $form->{"$form->{vc}_id"})
> >             || $form->dberror($query);
> >
> > ????
> >
> > There's no way that will ever work, it's not the way to fix the SQL
> > Injections.
>
> I didn't write the code, however -- your tone it just a tad harsh. You
> are going to get much better results with helping provide a solution
> then lambasting people because of work done in -HEAD.
>
> Secondly, I am sure that -HEAD would have been reviewed "before" we
> released.

Oh, I'm sure it will and I wasn't expecting to see perfect code. I knew
what I was doing when I checked out -HEAD. I had no misconceptions about
the (lack of) production readiness of -HEAD code.

> > DBI placeholders can _not_ be used as identifiers, from DBI(3)
> > "placeholders can't be used for any element of a statement that would
> > prevent the database server from validating the statement and creating a
> > query execution plan for it".
>
> Do you have a sample set of code that would work better?

Well, at least this will execute without errors:

        $form->{vc} =~ s/"/""/g;
        $query = qq|
                SELECT SUM(amount - paid)
                  FROM $arap
                 WHERE "$form->{vc}_id" = ?|;

        $sth = $dbh->prepare($query);
        $sth->execute($form->{"$form->{vc}_id"})
                || $form->dberror($query);

        ($form->{creditremaining}) -= $sth->fetchrow_array;

--
Tony Fraser
..hidden..
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Ledger-smb-devel mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel

References:
- WTF
  - From: Tony Fraser
- Re: WTF
  - From: Joshua D. Drake
- Re: WTF
  - From: Tony Fraser

Prev by Date: Re: WTF
Next by Date: Re: Community Documentation Architecture, was LaTeX templates, was Docmentation/FAQs
Previous by thread: Re: WTF
Next by thread: Re: WTF
Index(es):
- Date
- Thread