[ic] ActionMap SQL injection
Mike Heins
mike at perusion.com
Sat Jun 5 15:35:56 EDT 2004
Quoting John1 (list_subscriber at yahoo.co.uk):
> I am using an ActionMap (BTW, a great feature I have only just discovered
> how to use! :-) ), to pass parameters to an SQL query and would like to
> know if I need to take any precautions over SQL injection, or does
> Interchange filter out unsafe stuff passed from the URL via an ActionMap?
>
> Here is the scenario:
>
> ##Action map defined in catalog.cfg
> ActionMap my_search <<EOR
> sub {
> my ($action, $category) = split ('/', shift);
> $CGI->{action} = $action;
> $CGI->{category} = $category;
> $CGI->{mv_nextpage} = 'myresults';
> $Tag->update('process');
> return 1;
> }
> EOR
>
>
> ##query contained in myresults.html
> [query arrayref=main type=list sql=|select sku, description, price from
> products where category='[cgi param]']
>
> Is it safe to just use [cgi param] in an [query] tag as above?
I would recommend:
$CGI->{category} = $Tag->filter('sql', $category);
This should prevent the possibility of an injected subquery.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.647.1295 tollfree 800-949-1889 <mike at perusion.com>
I am a great believer in luck, and I find that the harder I work
the more luck I have. -- Thomas Jefferson
More information about the interchange-users
mailing list