[ic] ActionMap SQL injection
John1
list_subscriber at yahoo.co.uk
Sat Jun 5 16:24:03 EDT 2004
On Saturday, June 05, 2004 8:35 PM, mike at perusion.com wrote:
> Quoting John1 (list_subscriber at yahoo.co.uk):
>> I am using an ActionMap (BTW, a great feature I have only just
>> discovered how to use! :-) ), to pass parameters to an SQL query
>> and would like to know if I need to take any precautions over SQL
>> injection, or does Interchange filter out unsafe stuff passed from
>> the URL via an ActionMap?
>>
>> Here is the scenario:
>>
>> ##Action map defined in catalog.cfg
>> ActionMap my_search <<EOR
>> sub {
>> my ($action, $category) = split ('/', shift);
>> $CGI->{action} = $action;
>> $CGI->{category} = $category;
>> $CGI->{mv_nextpage} = 'myresults';
>> $Tag->update('process');
>> return 1;
>> }
>> EOR
>>
>>
>> ##query contained in myresults.html
>> [query arrayref=main type=list sql=|select sku, description, price
>> from products where category='[cgi param]']
>>
>> Is it safe to just use [cgi param] in an [query] tag as above?
>
> I would recommend:
>
> $CGI->{category} = $Tag->filter('sql', $category);
>
> This should prevent the possibility of an injected subquery.
>
Ah yes, perhaps I should have RTFM :-o. I vaguely remember the sql filter
tag from the documentation. Thanks again Mike!
More information about the interchange-users
mailing list