Re: Using CGI params for SQL statement

This code contains BIG security hole. Values of CGI parameters must be validated before using them in SQL query. It is possible for 'bad person' to modify your query in very bad ways. There is good non-Perl specific paper about it: SQL Injection

--
Ilya Martynov (http://martynov.org/)

Comment on Re: Using CGI params for SQL statement

Replies are listed 'Best First'.
Re: Re: Using CGI params for SQL statement by maderman (Beadle) on Feb 26, 2002 at 09:42 UTC
The code here is basic and I would never use anything like it on a server. In reality I always check returned params. By keeping code simple for as long as possible alows me to work through the problem and hopefully let others help me out :) Stacy.	[reply]
Re: Re: Re: Using CGI params for SQL statement by IlyaM (Parson) on Feb 26, 2002 at 12:50 UTC
IMHO in any event it is better to post code which follows good coding practices unless it requires significant efforts. There exist danger that some newbie will just copy your code blindly. Were you added just one line which checks value of CGI parameter there could be a chance to educate him/her about proper way. -- Ilya Martynov (http://martynov.org/)	[reply]
Re: Re: Re: Re: Using CGI params for SQL statement by maderman (Beadle) on Feb 26, 2002 at 14:12 UTC
Fair enough... Regards, Stacy.	[reply]