[ic] Perl/SQL - UPDATE Queries

Russ Mann interchange-users@lists.akopia.com
Mon Jul 2 17:08:00 2001


Thank you Mark.  I think the missing information from other responses to
this question is this:

[flag type=write tables="userdb ship_addresses transactions orderline"]

That might be good to add to the documentation where it talks about the %Db
hash and the [query] tags.

As for SQL escaping the data, in order to make sure the users enter email
addresses, I am pattern matching for this:

$login_email =~ /(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)/ ||
$login_email !~
/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,3}|[0-9]{1,3})(\]?)$/)

And if it doesn't pass this matching scheme, the SQL never gets run.

The reason for this is I theorized someone putting this in for the
"username" email address:

myaddress@dot.com' password='mypass' where
username='someoneelses@username.com';

Which, if run through as the variable $login_email in the SQL query
theoretically could have resulted in compromising someone elses account
password.

Thanks again,

Russ