[ic] ActionMap SQL injection

Mike Heins mike at perusion.com
Sat Jun 5 15:35:56 EDT 2004


Quoting John1 (list_subscriber at yahoo.co.uk):
> I am using an ActionMap (BTW, a great feature I have only just discovered
> how to use! :-)  ), to pass parameters to an SQL query and would like to
> know if I need to take any precautions over SQL injection, or does
> Interchange filter out unsafe stuff passed from the URL via an ActionMap?
> 
> Here is the scenario:
> 
> ##Action map defined in catalog.cfg
> ActionMap  my_search <<EOR
> sub {
>  my ($action, $category) = split ('/', shift);
>  $CGI->{action} = $action;
>  $CGI->{category} = $category;
>  $CGI->{mv_nextpage} = 'myresults';
>  $Tag->update('process');
>  return 1;
> }
> EOR
> 
> 
> ##query contained in myresults.html
> [query arrayref=main type=list sql=|select sku, description, price from
> products where category='[cgi param]']
> 
> Is it safe to just use [cgi param] in an [query] tag as above?

I would recommend:

    $CGI->{category} = $Tag->filter('sql', $category);

This should prevent the possibility of an injected subquery.

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

I am a great believer in luck, and I find that the harder I work
the more luck I have. -- Thomas Jefferson


More information about the interchange-users mailing list