skumar1 has asked for the wisdom of the Perl Monks concerning the following question:

Hi All, I have written one custom script in bugzilla called duration.cgi which calculates the bug duration. I am getting below error message while trying to access link : http://localhost:8200/duration.cgi as below: Software Error Insecure dependency in parameter 1 of DBI::db=HASH(0x275840c)->prepare_cached method call while running with -T switch at C:/Bugzilla/duration.cgi line 102 Line no. 102 in the duration.cgi is displayed as below: Bmy $sth = $dbh->prepare_cached($sql) or die "can't execute SQL:" . $dbh->errstr(); I explored this and found that there is an issue of Perl taint code. can you please help me out in fixing this issue. Thanks Kumar
  • Comment on Insecure dependecy in parameter while running with -T switch

Replies are listed 'Best First'.
Re: Insecure dependecy in parameter while running with -T switch
by Corion (Patriarch) on Apr 13, 2010 at 11:37 UTC

    The error is in how you are constructing $sql (which you don't show). Most likely you are taking parameters from the CGI request and interpolate them into your SQL like this:

    my $q = CGI->new();
my $username = $q->param('user');
my $sql = "select * from users where username='$username'"; # BAD BAD 
+BAD

    [download]

    You should never interpolate data from outside of your program into SQL or other things passed to other libraries. In this case, you should learn about and use DBI placeholders:

    my $sql = "select * from users where username=?"; # GOOD
my $sth_user = $dbh->prepare_cached($sql)
    or die "can't prepare SQL:" . $dbh->errstr();
$sth_user->execute( $username );

    [download]

    You should also make sure that your $username corresponds to what you expect. See perltaint for how to check and how to untaint.

[reply]
[d/l]
[select]
[reply]
    A reply falls below the community's threshold of quality. You may see it by logging in.

Back to Seekers of Perl Wisdom