[ic] "==" and "!=" as DB field values

Doug Alcorn doug at lathi.net
Tue Oct 28 09:37:08 EST 2003

Stefan Hornburg <racke at linuxia.de> writes:

> $Db{products}->query("select * from products where name = '$CGI->{foo}'");
> => that's unsafe IMHO

Just to clarify, if

   $GCI->{foo} = "'; delete from products;'"

Then there could be problems.  In this case, you should escape any
single quotes in $CGI->{foo}.

# racke says my perl is "rusty", so take this with a few grains of sandpaper
my $foo = $Tag->filter('sql', $CGI->{foo});
my $ref = $Db{products}->query("select * from products where name = '$foo'");

The moral of the story is that it's very, very rare when anything the
user inputs is valid.  Almost always there are a certain set of
characters that are invalid.  Try to think about this and escape these
characters or manage those cases.  Thank the IC core team for the
filter tag and it's flexibility.
 (__) Doug Alcorn - Unix/Linux/Web Developing
 oo / PGP 02B3 1E26 BCF2 9AAF 93F1  61D7 450C B264 3E63 D543
 |_/  mailto:doug at lathi.net http://www.lathi.net
      mailto:tarpit at lathi.net is a spam trap

More information about the interchange-users mailing list