[ic] SQL query as cgi par: strange behavior
Phil Smith
phil.smith at phil-home.com
Fri Dec 2 12:13:39 UTC 2011
>On 12/02/2011 12:31 PM, Marco Mescoli wrote:
>> --- query.html -------
>> [query type=list sql="[cgi sql]"]
>> [list]<br />[sql-param sku][/list]
>> [/query]
>> ---------------------
>> If in the cgi-par sql I put a query on products with the operator greater
then, the char '>' all goes well insted if i put the char'<' (less than) it
is replaced with its html entity name so the query >dosen't run.
>>
>> Do you know why ?
>>
>> Thanks to the list
>>
>
>1. You have to be extremely careful with using CGI parameters directly
inside queries.
>2. I guess the following prevents mangling of <
>
>[query type=list sql=`$CGI->{sql}`]
> [list]<br />[sql-param sku][/list]
>[/query]
>
>Regards
> Racke
This looks like a lovely way to invite sql re-write hacks.
All you need to do is call that page with ?sku=drop+table+products and you
will have a dead catalog.
Phil.
More information about the interchange-users
mailing list