Re^12: CGI Action call

You say: Interpolating user-supplied data into SQL statements is a problematic thing and best avoided.

How do you avoid having a user (administrator only in this case) enter a user supplied search term like a last name?

Perhaps I don't understand your statement.

Comment on Re^12: CGI Action call

Replies are listed 'Best First'.
Re^13: CGI Action call by poj (Abbot) on Mar 20, 2018 at 11:41 UTC
`my $kind = $query->param('kind'); my $searchterm = $query->param('searchterm'); my $searchfield; if ($kind == 0) { $searchfield = 'user_id'; } elsif ($kind == 1) { $searchfield = 'lastname'; } elsif ($kind == 2) $searchfield = 'business'; } my $stmt = " SELECT * FROM users WHERE $searchfield = ? ORDER by $searchfield"; my $sth = $dbh->prepare($stmt); $sth->execute($searchterm);` [download] In the above, the interpolated field `$searchfield` is not user supplied. The user supplied `$searchterm` uses a placeholder so no problem searching for the lastname O'Reilly. poj	[reply] [d/l] [select]
Re^13: CGI Action call by davies (Monsignor) on Mar 20, 2018 at 12:59 UTC
You say: Interpolating user-supplied data into SQL statements is a problematic thing and best avoided. No. He says: User data may, maliciously or accidentally, including programmer error, be problematic and must be sanitised. Regards, John Davies	[reply]