[ic] ActionMap SQL injection

John1 list_subscriber at yahoo.co.uk
Sat Jun 5 15:16:57 EDT 2004


I am using an ActionMap (BTW, a great feature I have only just discovered
how to use! :-)  ), to pass parameters to an SQL query and would like to
know if I need to take any precautions over SQL injection, or does
Interchange filter out unsafe stuff passed from the URL via an ActionMap?

Here is the scenario:

##Action map defined in catalog.cfg
ActionMap  my_search <<EOR
sub {
 my ($action, $category) = split ('/', shift);
 $CGI->{action} = $action;
 $CGI->{category} = $category;
 $CGI->{mv_nextpage} = 'myresults';
 $Tag->update('process');
 return 1;
}
EOR


##query contained in myresults.html
[query arrayref=main type=list sql=|select sku, description, price from
products where category='[cgi param]']

Is it safe to just use [cgi param] in an [query] tag as above?

Thanks,

John



More information about the interchange-users mailing list