Re^9: CGI Action call

The code below demonstates use of a placeholder for a field name (lastname) and this works. ...

my $stmt = "SELECT * FROM users WHERE $searchfield = ? ORDER BY ? ASC"
+;
warn("statement =  '$stmt'");
[download]

[Mon Mar 19 19:01:04 2018] update_tables.cgi: statement =  'SELECT * F
+ROM users WHERE lastname = ? ORDER BY ? ASC' at update_tables.cgi lin
+e 462.
[download]

No. It does not use a placeholder for lastname. It interpolates $searchfield directly into the query. It uses a placeholder for the column value, but that is different from the column name.

Comment on Re^9: CGI Action call Select or Download Code

Replies are listed 'Best First'.
Re^10: CGI Action call by tultalk (Monk) on Mar 20, 2018 at 09:30 UTC
See what you are saying If the stmt was `my $stmt = "SELECT * FROM users WHERE ? = ? ORDER BY ? +ASC";` [download] instead, it would fail with `$sth->execute($searchfield, $searchterm, $searchfield) or die "Unable +to execute + query: " . $sth->errstr;` [download] But this works as the field name is assigned early. `[Mon Mar 19 19:01:04 2018] update_tables.cgi: statement = 'SELECT * F +ROM users WHERE lastname = ? ORDER BY ? ASC' at update_tables.cgi lin +e 462.` [download] So what would be lost by simply using: `'SELECT * F +ROM users WHERE $searchfield = $searchterm ORDER BY $searchfield ASC'` [download] where all the parameter would be defined at prepare?	[reply] [d/l] [select]
Re^11: CGI Action call by Corion (Patriarch) on Mar 20, 2018 at 09:50 UTC
Because `$searchterm` is user-supplied, I could supply `O'Reilly` to break your SQL query or `1; delete from users --` to wipe all users from the user table or `1; update users set is_admin=1 --` to make all accounts administrator accounts. Interpolating user-supplied data into SQL statements is a problematic thing and best avoided.	[reply] [d/l] [select]
Re^12: CGI Action call by tultalk (Monk) on Mar 20, 2018 at 11:28 UTC
You say: Interpolating user-supplied data into SQL statements is a problematic thing and best avoided. How do you avoid having a user (administrator only in this case) enter a user supplied search term like a last name? Perhaps I don't understand your statement.	[reply]
Re^13: CGI Action call by poj (Abbot) on Mar 20, 2018 at 11:41 UTC
Re^13: CGI Action call by davies (Monsignor) on Mar 20, 2018 at 12:59 UTC
Re^11: CGI Action call by marto (Cardinal) on Mar 20, 2018 at 10:08 UTC
Obligatory Bobby Tables link.	[reply]