[ic] ActionMap SQL injection

[John1]

On Saturday, June 05, 2004 8:35 PM, mike at perusion.com wrote:

> Quoting John1 (list_subscriber at yahoo.co.uk):
>> I am using an ActionMap (BTW, a great feature I have only just
>> discovered how to use! :-)  ), to pass parameters to an SQL query
>> and would like to know if I need to take any precautions over SQL
>> injection, or does Interchange filter out unsafe stuff passed from
>> the URL via an ActionMap?
>>
>> Here is the scenario:
>>
>> ##Action map defined in catalog.cfg
>> ActionMap  my_search <<EOR
>> sub {
>>  my ($action, $category) = split ('/', shift);
>>  $CGI->{action} = $action;
>>  $CGI->{category} = $category;
>>  $CGI->{mv_nextpage} = 'myresults';
>>  $Tag->update('process');
>>  return 1;
>> }
>> EOR
>>
>>
>> ##query contained in myresults.html
>> [query arrayref=main type=list sql=|select sku, description, price
>> from products where category='[cgi param]']
>>
>> Is it safe to just use [cgi param] in an [query] tag as above?
>
> I would recommend:
>
>     $CGI->{category} = $Tag->filter('sql', $category);
>
> This should prevent the possibility of an injected subquery.
>
Ah yes, perhaps I should have RTFM :-o.  I vaguely remember the sql filter
tag from the documentation.  Thanks again Mike!