[ic] Does ORDER BY rand() work in sql query ?
Steffen Dettmer
interchange-users@icdevgroup.org
Mon Jul 1 05:03:03 2002
* Kevin Walsh wrote on Sat, Jun 29, 2002 at 10:47 +0100:
> > as "select * from products
> > where PurchasedZip LIKE 10101 ORDER BY rand() LIMIT 500"
> > and I can do the same search in IC with no problem if I use the followi=
ng
> > form with the exception of the "rand()" sorting:
> >=20
> > <form action=3D"[process-search]" method=3D"post">
> > <input type=3D"hidden" name=3D"mv_searchtype" value=3D"sql">
> > <input type=3D"hidden" name=3D"mv_matchlimit" value=3D"500">
> > <input type=3D"text" size=3D"20" name=3D"searchzip" value=3D"">
> > <input type=3D"hidden" name=3D"mv_sql_query" value=3D"select * from pr=
oducts
> > where PurchasedZip LIKE searchzip ORDER BY rand() LIMIT 500">
> > <input type=3D"submit" name=3D"mv-todo" value=3D"Search">
> > </FORM>
> >=20
[...]
> Instead of this, Interchange does a "SELECT * FROM yourtable" and
> then parses the results using the SQL::Statement module and your
> "SQL". I'm quoting "SQL" here because the SQL::Statement module is
> not a full SQL parser - as you have found.
Does that mean, that IC fetches *all* product records from DBMS
in that case?! Would be horrible slow!
> If you want to use SQL then you should take a look at the [query]
> tag.
Yes, and if you do so, stop passing query options to the browser
and get them back via hidden field GETs/POSTs. This is horrible.
You do not trust the browser. Keep in mind, that it is very
simple to fake the content of the hidden fields! Well, and the
case posted above it may be possible to do a malicious query by
setting mv-todo to delete or such. This is very easy to do! And
please do not make the mistake to think that the REFERER field of
the HTTP header would secure anything!
Such things have to be stored in scratch pad. If you have
multiple actions on the page, you may use some nested data
structures with some index or identifier, and pass the identifier
in the form. In that case, the browser can fake that identifier,
but can select a query only - not building an own!
Well, I really wonder why somebody would use hidden fields for
such tramp data - the repeated formmail.pl problems should be
really well-known! If not, check out i.e. security-focus.com,
there are nice descriptions about such issues!
IC offers the possibility to store safe (means, the browser
cannot directly modify) vars in the scratch pad. So please use
it.
oki,
Steffen
--=20
Dieses Schreiben wurde maschinell erstellt,
es tr=E4gt daher weder Unterschrift noch Siegel.