All of the comments here have been useful and I'm absorbing them fully--thanks to everyone. However, this one by Zaxo about a user spiking a param with an extra mySQL statement to be inserted at the end of my mySQL statement, I can't figure out how to resolve. Talking it over with cerberus who works with me, we figured out that we can do something like this:
my $sort = $q->param("sort"); if($sort ne "emp_id" || $sort ne "emp_last" || $sort ne "dept") { $sort = "emp_last"; }
This would get rid of any destructive mySQL statements a hacker might throw into the CGI parameter. However, what about scripts where we're taking in a search parameter? I thined out some pieces of the script above, emp-list.cgi, for a shorter and more concise post. One piece I left out is a search feature which I feel I should now post for this side question:
my $search_text = param("search_text") || ""; if($search_text ne "") { $sql_stmnt = "SELECT emp_id, CONCAT(emp_first, ' ', emp_last) FROM sys_main.humans WHERE emp_first LIKE '%$search_text%' OR emp_last LIKE '%$search_text%'"; $sth = $dbh->prepare($sql_stmnt); $sth->execute(); while(@emp_matches = $sth->fetchrow_array()) { $emp_matches{$emp_matches[0]} = $emp_matches[1]; } }
Here I'm basically getting a list of matching names and putting them in a hash for the user to choose the specific employee she wants to view details on. In this case, we wouldn't know all of the acceptable answers and couldn't filter out hacking attempts so easily. Any thoughts?
-Spenser
Update
To answer my own question for future reference by others, I believe I've figured out how to stop a user from appending a CGI/mySQL query statement with the following as Zaxo suggested:
...;delete from sysmain.humans where '1'
You just change the user permissions in mySQL not to allow deletion of records by the CGI script user.
In reply to Re: Spiking the mySQL parameter
by Spenser
in thread A Matter of Style in CGI
by Spenser
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |