[ic] ActionMap SQL injection
John1
list_subscriber at yahoo.co.uk
Sat Jun 5 15:16:57 EDT 2004
I am using an ActionMap (BTW, a great feature I have only just discovered
how to use! :-) ), to pass parameters to an SQL query and would like to
know if I need to take any precautions over SQL injection, or does
Interchange filter out unsafe stuff passed from the URL via an ActionMap?
Here is the scenario:
##Action map defined in catalog.cfg
ActionMap my_search <<EOR
sub {
my ($action, $category) = split ('/', shift);
$CGI->{action} = $action;
$CGI->{category} = $category;
$CGI->{mv_nextpage} = 'myresults';
$Tag->update('process');
return 1;
}
EOR
##query contained in myresults.html
[query arrayref=main type=list sql=|select sku, description, price from
products where category='[cgi param]']
Is it safe to just use [cgi param] in an [query] tag as above?
Thanks,
John
More information about the interchange-users
mailing list