comment on

I don't have time right now to look through all your code. I'll spend some time on it later tonight, but for now a quick glance reveals what I consider a major problem. You have many SQL insert and update statements that use outside data, but you don't use placeholders. I haven't looked carefully enough to know for sure if you're vulnerable, but this is a prime candidate for SQL injection attacks.

Here's an example of one of your SQL inserts:

        my $executeSQL = "INSERT INTO FDNMail (msgid,subject,sourceip,
+sourcednsname,[from],[to],allheaders,preamble,body,receiveddate,attac
+hmentdata,
                custnum,[X-AOLIP]) VALUES ('".$record->{"msgid"}."','"
+.$record->{"subject"}."','".$record->{"sourceip"}."','".$record->{"so
+urcednsname"}.                "','".$record->{"from"}."','".$record->
+{"to"}."','".$record->{"allheaders"}."','".$record->{"preamble"}."','
+".$record->{"body"}.                "','".$record->{"receiveddate"}."
+','".$record->{"attachmentdata"}."','".$record->{"custnum"}."','".$re
+cord->{"xaolip"}."')";
        my $action = $tema1->prepare($executeSQL);
[download]

Besides being generally hard to read and somewhat messy, if any of the values from $record contain tainted data, you have a huge vulnerability. I would write that like this:

my %fields = (
    msgid          => $record->{msgid},
    subject        => $record->{subject},
    sourceip       => $record->{sourceip},
    sourcednsname  => $record->{sourcednsname},
    '[from]'       => $record->{from},
    '[to]'         => $record->{to},
    allheaders     => $record->{allheaders},
    preamble       => $record->{preamble},
    body           => $record->{body},
    receiveddate   => $record->{receiveddate},
    attachmentdata => $record->{attachmentdata},
    custnum        => $record->{custnum},
    '[X-AOLIP]'    => $record->{xaolip},
);

my $sql = "INSERT"
        . " INTO FDNMail (" . join(",",         keys %fields) . ")"
        . " VALUES       (" . join(",", ('?') x keys %fields) . ")";

my $fdnmail_sth = $temal->prepare($sql);
$fdnmail_sth->execute(values %fields);
[download]

This has several advantages.

It's easier to maintain. The whole thing is controlled by the %fields hash, so new fields can be added, or fields can be removed, very easily. There won't be problems counting commas to make sure everything lines up.
It's safer. Using placeholders eliminates the possiblity of SQL injection attacks, because proper escaping and quoting is done automatically.
It's generic. The actual insertion code could be abstracted to a subroutine that takes in the DB handle and a hash of fields, making it easy to get these advantages all througout your code. Also, since the quoting and escaping is done by the DB driver, this is portable to any database that DBI supports.

In reply to Re: Re: Re: Passing References to Subroutines by revdiablo
in thread Passing References to Subroutines by ketema

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.