[ic] "==" and "!=" as DB field values
Grant
listbox at email.com
Wed Oct 29 12:20:39 EST 2003
> Stefan Hornburg <racke at linuxia.de> writes:
>
> > $Db{products}->query("select * from products where name =
> '$CGI->{foo}'");
> >
> > => that's unsafe IMHO
>
> Just to clarify, if
>
> $GCI->{foo} = "'; delete from products;'"
>
> Then there could be problems. In this case, you should escape any
> single quotes in $CGI->{foo}.
>
> [perl]
> # racke says my perl is "rusty", so take this with a few grains
> of sandpaper
> my $foo = $Tag->filter('sql', $CGI->{foo});
> my $ref = $Db{products}->query("select * from products where name
> = '$foo'");
> [/perl]
>
> The moral of the story is that it's very, very rare when anything the
> user inputs is valid. Almost always there are a certain set of
> characters that are invalid. Try to think about this and escape these
> characters or manage those cases. Thank the IC core team for the
> filter tag and it's flexibility.
Do I need to worry about this if I'm using the default DB and no query
commands anywhere? I want to be sure I'm not compromising the security of
my site.
- Grant
More information about the interchange-users
mailing list