[ic] lookup_query in table editor
Stefan Hornburg (Racke)
racke at linuxia.de
Tue Apr 13 16:37:44 UTC 2021
On 4/13/21 5:28 PM, Jon Jensen wrote:
> On Mon, 12 Apr 2021, Scott Andreas wrote:
>
>> I've even tried using: lookup_query.category=`select distinct category from
>> products_codes where owner='$Session->{username}'`
>>
>> If I try lookup_query.category=`select distinct category from
>> products_codes where owner='bob'`
>> the list populates
>
> The `...` quoting style is for Perl code snippets, so shouldn't have unquoted regular strings and code mixed.
>
> You could try:
>
> lookup_query.category="select distinct category from products_codes where owner='[data session username]'"
>
> If you do that, make sure you can't ever have a valid username with a '
in it or you'll have an SQL injection
> vulnerability there.
>
> It shouldn't be vulnerable to direct query or form injection since the session username is vetted first, but if a user
> can create a username with a ' then you've got a problem.
>
> Jon
>
>
Using table-editor inside a custom usertag is probably less awkward and allows you to add verification of
the parameters.
The basic rule we are using is if you think the ITL is going to hurt, wrap it into an usertag.
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://www.interchangecommerce.org/pipermail/interchange-users/attachments/20210413/97362bd3/attachment.sig>
More information about the interchange-users
mailing list