Re^11: CGI Action call

Because $searchterm is user-supplied, I could supply O'Reilly to break your SQL query or 1; delete from users -- to wipe all users from the user table or 1; update users set is_admin=1 -- to make all accounts administrator accounts.

Interpolating user-supplied data into SQL statements is a problematic thing and best avoided.

Comment on Re^11: CGI Action call Select or Download Code

Replies are listed 'Best First'.
Re^12: CGI Action call by tultalk (Monk) on Mar 20, 2018 at 11:28 UTC
You say: Interpolating user-supplied data into SQL statements is a problematic thing and best avoided. How do you avoid having a user (administrator only in this case) enter a user supplied search term like a last name? Perhaps I don't understand your statement.	[reply]
Re^13: CGI Action call by poj (Abbot) on Mar 20, 2018 at 11:41 UTC
`my $kind = $query->param('kind'); my $searchterm = $query->param('searchterm'); my $searchfield; if ($kind == 0) { $searchfield = 'user_id'; } elsif ($kind == 1) { $searchfield = 'lastname'; } elsif ($kind == 2) $searchfield = 'business'; } my $stmt = " SELECT * FROM users WHERE $searchfield = ? ORDER by $searchfield"; my $sth = $dbh->prepare($stmt); $sth->execute($searchterm);` [download] In the above, the interpolated field `$searchfield` is not user supplied. The user supplied `$searchterm` uses a placeholder so no problem searching for the lastname O'Reilly. poj	[reply] [d/l] [select]
Re^13: CGI Action call by davies (Monsignor) on Mar 20, 2018 at 12:59 UTC
You say: Interpolating user-supplied data into SQL statements is a problematic thing and best avoided. No. He says: User data may, maliciously or accidentally, including programmer error, be problematic and must be sanitised. Regards, John Davies	[reply]