Re^3: error joining hashref of an arrayref

I see other problems in your code:

You don't use placeholders in the SQL statement.
You don't use prepare_cached().
You try to implement your own quoting.
The quoting code can be circumvented (just make $word[$count] false, e.g. by inserting " 0" into a line in the input file), which leads to a SQL injection vulnerability (all words following the 0 are not modified at all). Don't loop over the first few elements that are true, loop over all elements (foreach (@word) instead of while ($word[$count])).
You don't reset $count to 0 before the for loop, it still contains the number of non-false "words" at the beginning of the last line read. So you start filling @data at some unknown offset, and all elements of @data up to that offset are undef.
```
next if !defined ($string);   # should never be true.
[download]
```
even shows that you are partly aware of that problem. Change next to die "should not happen" and see your script die.
You mess with $count and arrays where a simple push would be sufficient. Don't make your life harder then necessary by trying to write C in Perl. Get rid of $count in the for loop, use push @data instead.

See also Re^2: Massive Memory Leak and Re: Counting rows Sqlite for the first three points.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Comment on Re^3: error joining hashref of an arrayref Select or Download Code

Replies are listed 'Best First'.
Re^4: error joining hashref of an arrayref by ag4ve (Monk) on Nov 01, 2010 at 04:37 UTC
your first three points on security are absolutely correct. however, after reading on prepare_cached(), i don't think that's my solution. maybe i'm wrong, but it just doesn't seem much more secure to me than prepare(). and i think that doing further checking on my input and a sanity check on the final query, that i be much better. in fact, since you brought it up, i found this great node here that has tons of pointers: http://www.perlmonks.org/?node_id=756058 and this discussion on sql injection http://unixwiz.net/techtips/sql-injection.html however, i think the first thing i'm going to be reading is the 'perlsec' doc mentioned at the top of that pm node. as for my code, i finally figured out how to make it more readable and usable. since i'm wanting items based on each word (which lines a word is in and which strings from sql a word returns) i use %data{ $word } and put all associated data on that. it's late, so this has issues that i need fixing, but my general idea is: while ( my $fields = $sth->fetchrow_arrayref ) { foreach my $field (@fields) { definition( $line, $word, $field ); } } } $dbh->disconnect; for my $word ( keys %data ) { while( my ($field, $type) = each %{ $data }{ $word } ) { print "$word,$field" if( $type eq 'field' ); while( my ($line, $type) = each %{ $data }{ $word } ) +{ print ",$line" if( $type eq 'line' ); } } } sub definition { my ($line, $word, $field) = @_; if( defined( $field ) { if( !defined( $data{ $word }{ $field } ) ) { $data{ $word }{ $field} = field; } $data{ $word }{ $line } = line; } } [download]	[reply] [d/l]

Replies are listed 'Best First'.

Re^4: error joining hashref of an arrayref
by ag4ve (Monk) on Nov 01, 2010 at 04:37 UTC

your first three points on security are absolutely correct. however, after reading on prepare_cached(), i don't think that's my solution. maybe i'm wrong, but it just doesn't seem much more secure to me than prepare(). and i think that doing further checking on my input and a sanity check on the final query, that i be much better. in fact, since you brought it up, i found this great node here that has tons of pointers:

and this discussion on sql injection

however, i think the first thing i'm going to be reading is the 'perlsec' doc mentioned at the top of that pm node. as for my code, i finally figured out how to make it more readable and usable.

since i'm wanting items based on each word (which lines a word is in and which strings from sql a word returns) i use %data{ $word } and put all associated data on that.

it's late, so this has issues that i need fixing, but my general idea is:

        while ( my $fields =  $sth->fetchrow_arrayref ) {
                foreach my $field (@fields) {
                        definition( $line, $word, $field );
                }
        }

}

$dbh->disconnect;


for my $word ( keys %data ) {
        while( my ($field, $type) = each %{ $data }{ $word } ) {
                print "$word,$field" if( $type eq 'field' );
                while( my ($line, $type) = each %{ $data }{ $word } ) 
+{
                        print ",$line" if( $type eq 'line' );
                }
        }
}


sub definition {

        my ($line, $word, $field) = @_;

        if( defined( $field ) {
                if( !defined( $data{ $word }{ $field } ) ) {
                        $data{ $word }{ $field} = field;
                }
                $data{ $word }{ $line } = line;
        }
}
[download]

[reply]
[d/l]