[ic] SQL query as cgi par: strange behavior

Stefan Hornburg (Racke) racke at linuxia.de
Fri Dec 2 13:51:32 UTC 2011


On 12/02/2011 01:13 PM, Phil Smith wrote:
>> On 12/02/2011 12:31 PM, Marco Mescoli wrote:
>>> --- query.html -------
>>> [query type=list sql="[cgi sql]"]
>>>     [list]<br />[sql-param sku][/list]
>>> [/query]
>>> ---------------------
>>> If in the cgi-par sql I put a query on products with the operator greater
> then, the char '>' all goes well insted if i put the char'<' (less than) it
> is replaced with its html entity name so the query>dosen't run.
>>>
>>> Do you know why  ?
>>>
>>> Thanks to the list
>>>
>>
>> 1. You have to be extremely careful with using CGI parameters directly
> inside queries.
>> 2. I guess the following prevents mangling of<
>>
>> [query type=list sql=`$CGI->{sql}`]
>>      [list]<br />[sql-param sku][/list]
>> [/query]
>>
>> Regards
>>          Racke
>
> This looks like a lovely way to invite sql re-write hacks.
>

Even easier than SQL injections, correct. That's why I warned about it first.

> All you need to do is call that page with ?sku=drop+table+products and you
> will have a dead catalog.
>

Right.

Regards
	Racke



-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team




More information about the interchange-users mailing list