[ic] SQL query as cgi par: strange behavior

Phil Smith phil.smith at phil-home.com
Fri Dec 2 12:13:39 UTC 2011


>On 12/02/2011 12:31 PM, Marco Mescoli wrote:
>> --- query.html -------
>> [query type=list sql="[cgi sql]"]
>>    [list]<br />[sql-param sku][/list]
>> [/query]
>> ---------------------
>> If in the cgi-par sql I put a query on products with the operator greater
then, the char '>' all goes well insted if i put the char'<' (less than) it
is replaced with its html entity name so the query >dosen't run.
>>
>> Do you know why  ?
>>
>> Thanks to the list
>>
>
>1. You have to be extremely careful with using CGI parameters directly
inside queries.
>2. I guess the following prevents mangling of <
>
>[query type=list sql=`$CGI->{sql}`]
>     [list]<br />[sql-param sku][/list]
>[/query]
>
>Regards
>         Racke

This looks like a lovely way to invite sql re-write hacks.   

All you need to do is call that page with ?sku=drop+table+products and you
will have a dead catalog.

Phil.




More information about the interchange-users mailing list