[ic] SQL query as cgi par: strange behavior
Stefan Hornburg (Racke)
racke at linuxia.de
Fri Dec 2 13:51:32 UTC 2011
On 12/02/2011 01:13 PM, Phil Smith wrote:
>> On 12/02/2011 12:31 PM, Marco Mescoli wrote:
>>> --- query.html -------
>>> [query type=list sql="[cgi sql]"]
>>> [list]<br />[sql-param sku][/list]
>>> [/query]
>>> ---------------------
>>> If in the cgi-par sql I put a query on products with the operator greater
> then, the char '>' all goes well insted if i put the char'<' (less than) it
> is replaced with its html entity name so the query>dosen't run.
>>>
>>> Do you know why ?
>>>
>>> Thanks to the list
>>>
>>
>> 1. You have to be extremely careful with using CGI parameters directly
> inside queries.
>> 2. I guess the following prevents mangling of<
>>
>> [query type=list sql=`$CGI->{sql}`]
>> [list]<br />[sql-param sku][/list]
>> [/query]
>>
>> Regards
>> Racke
>
> This looks like a lovely way to invite sql re-write hacks.
>
Even easier than SQL injections, correct. That's why I warned about it first.
> All you need to do is call that page with ?sku=drop+table+products and you
> will have a dead catalog.
>
Right.
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the interchange-users
mailing list