[ic] "==" and "!=" as DB field values
Doug Alcorn
doug at lathi.net
Tue Oct 28 09:37:08 EST 2003
Stefan Hornburg <racke at linuxia.de> writes:
> $Db{products}->query("select * from products where name = '$CGI->{foo}'");
>
> => that's unsafe IMHO
Just to clarify, if
$GCI->{foo} = "'; delete from products;'"
Then there could be problems. In this case, you should escape any
single quotes in $CGI->{foo}.
[perl]
# racke says my perl is "rusty", so take this with a few grains of sandpaper
my $foo = $Tag->filter('sql', $CGI->{foo});
my $ref = $Db{products}->query("select * from products where name = '$foo'");
[/perl]
The moral of the story is that it's very, very rare when anything the
user inputs is valid. Almost always there are a certain set of
characters that are invalid. Try to think about this and escape these
characters or manage those cases. Thank the IC core team for the
filter tag and it's flexibility.
--
(__) Doug Alcorn - Unix/Linux/Web Developing
oo / PGP 02B3 1E26 BCF2 9AAF 93F1 61D7 450C B264 3E63 D543
|_/ mailto:doug at lathi.net http://www.lathi.net
mailto:tarpit at lathi.net is a spam trap
More information about the interchange-users
mailing list