[ic] [wellwell/interchange6: 1/5] uid is not guaranteed to be numeric, so quote it
Stefan Hornburg (Racke)
racke at linuxia.de
Fri Mar 3 09:09:06 UTC 2017
On 03/03/2017 09:47 AM, Peter wrote:
> On 03/03/17 20:53, Stefan Hornburg wrote:
>> - $set = $db_carts->query(q{select code from carts where name = '%s' and uid = %s},
>> + $set = $db_carts->query(q{select code from carts where name = '%s' and uid = '%s'},
>> $name, $uid);
>
> Can we not quote properly here to avoid SQL injection?
>
> $set = $db_carts->query(q{select code from carts where name = %s and uid
> = %s}, $db_carts->quote($name), $db_carts->quote($uid));
>
>
> Peter
Hello Peter,
thanks for your code review & vigilance.
Fixed in 9246736ea974230526225e1bbd244a4f7dcff91a.
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration.
More information about the interchange-users
mailing list