perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Gaber" <Brian.Ga...@PWGSC.GC.CA>
Subject RE: mod_perl2 newbie DBI question
Date Fri, 13 Jun 2008 12:25:40 GMT
Michael,

	Thank you very much for this valuable advice.

	Cheers.

Brian 

-----Original Message-----
From: Michael Peters [mailto:mpeters@plusthree.com] 
Sent: Thursday, June 12, 2008 3:05 PM
To: Brian Gaber
Cc: Jim Brandt; modperl@perl.apache.org
Subject: Re: mod_perl2 newbie DBI question

Brian Gaber wrote:

> Is there anything useful in the Apache error log?  Works fine a few 
> times and then DBD::mysql::st execute failed: You have an error in 
> your SQL syntax; check the manual that corresponds to your MySQL 
> server version for the right syntax to use near '' at line 1 at 
> /usr/local/apache2/perl-run/regDelLocks.pl line 191.\n

What does the SQL statement you are executing look like when it
encounters this problem? It's possible that you aren't getting what you
think you should in param('region').

quoting your earlier email:
> my $dbh = DBI->connect("DBI:mysql:database=esnap;host=localhost",
>                       "athena", "godess",
>                       {'RaiseError' => 1});
>
> # Determine MySQL locks table name
> my $sth = $dbh->prepare("SELECT * FROM region_props WHERE region = 
> '$region'"); $sth->execute();

Btw, this is *really* bad security wise. $region is coming straight from
the browser. You're setting yourself up for an SQL Injection attack.
Imagine I request some URL like:

  regDelLocks.pl?region= %27blah%27%3B+DROP+ALL+DATABASES

Guess what will happen? Preventing this is really easy. Just use SQL
bind params.

my $sth = $dbh->prepare("SELECT * FROM region_props WHERE region = ?");
$sth->execute($region);

--
Michael Peters
Plus Three, LP


Mime
View raw message