Thanks for everyone's input. I know "what's right" is to refactor to DBI. I'm hoping to get away with less. Here's an attempt at code examples to give you all a better idea at how much refactoring might be involved in various designs.
I call it here:
$result = update_string_to_form($reportoutput, $thisformobjid, + 'REPORTBODY') ; if (not defined $result) { die 'could not update report body on form'; } else { if ($result != 0) { die 'error updating report body on form.'; } }
This is update_string_to_form:
and somewhere down in harcommon::runsql, they encapsulate looking up credentials and wrapping my stuff in a sqlplus command and executing / catching results from sqlplus.sub update_string_to_form { my ($string, $formobjid, $column) = @_; return undef unless defined $string; #string is required to b +e defined, but can be '' return undef unless $formobjid; #formobjid is required return undef unless $column; #column is required unless ( grep($_ eq $column, formcolumns_from_formobjid($formobjid +)) ){ warn ("invalid column for form"); return undef; } my $formtypeobjid = formtypeobjid_from_formobjid($formobjid); return undef unless $formtypeobjid; my $formtablename = formtablename_from_formtypeobjid($formtypeobji +d); return undef unless $formtablename; my $sql = "update $formtablename set $column = '$string' where FOR +MOBJID = '$formobjid'"; #if ( harcommon::debug() ) { if ( 1 ) { warn '$formobjid : ',$formobjid; warn '$formtypeobjid : ',$formtypeobjid; warn '$formtablename : ',$formtablename; warn '$string : ',$string; warn '$sql : ',$sql; } my @results = harcommon::runsql( $sql, $$DBSettings{'tnsname'}, $$DBSettings{ +'dbuser'}, $$DBSettings{'dbpass'} ); #if ( harcommon::debug() ) { if ( 1 ) { warn '@results: ',join(",",@results); warn 'number of results: ', scalar(@results); } if (scalar(@results) != 0) { my @trimmedresults = map {harcommon::trim($_)} @results; return @trimmedresults; } else { return 0; } }
My first naive solution was to add:
before setting $sql. FWIW, this approach is still failing (though I'm debugging and looking for dumb mistakes).. . . $string =~ s/'/quot/g; $string =~ s/;/semi/g; my $sql = "update $formtablename set $column = '$string' where FOR +MOBJID = '$formobjid'"; . . .
One design (moritz's suggestion, which I like) would be to use the minimum of DBI to get access to ->quote.
but now I would have to un-encapsulate the looking up of $data_source, $username, $auth, etc. from the harcommon::runsql sub just to pass $sql in and let it do that again.. . . my $dbh = DBI->connect($data_source, $username, $auth, \%attr); $string = $dbh->quote($string); my $sql = "update $formtablename set $column = '$string' where FOR +MOBJID = '$formobjid'"; . . .
I suppose the next thing would be to refactor harcommon::runsqlto use DBI and abandon sqlplus entirely. That's getting to be orders of magnitude larger a problem than I thought I was working on.
In reply to Re: untainting or encoding for shelled sqlplus update
by goibhniu
in thread untainting or encoding for shelled sqlplus update
by goibhniu
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |