perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Peters <mpet...@plusthree.com>
Subject Re: mod_perl2 newbie DBI question
Date Thu, 12 Jun 2008 19:04:55 GMT
Brian Gaber wrote:

> Is there anything useful in the Apache error log?  Works fine a few
> times and then
> DBD::mysql::st execute failed: You have an error in your SQL syntax;
> check the manual that corresponds to your MySQL server version for the
> right syntax to use near '' at line 1 at
> /usr/local/apache2/perl-run/regDelLocks.pl line 191.\n

What does the SQL statement you are executing look like when it encounters this
problem? It's possible that you aren't getting what you think you should in
param('region').

quoting your earlier email:
> my $dbh = DBI->connect("DBI:mysql:database=esnap;host=localhost",
>                       "athena", "godess",
>                       {'RaiseError' => 1});
>
> # Determine MySQL locks table name
> my $sth = $dbh->prepare("SELECT * FROM region_props WHERE region =
> '$region'");
> $sth->execute();

Btw, this is *really* bad security wise. $region is coming straight from the
browser. You're setting yourself up for an SQL Injection attack. Imagine I
request some URL like:

  regDelLocks.pl?region= %27blah%27%3B+DROP+ALL+DATABASES

Guess what will happen? Preventing this is really easy. Just use SQL bind params.

my $sth = $dbh->prepare("SELECT * FROM region_props WHERE region = ?");
$sth->execute($region);

-- 
Michael Peters
Plus Three, LP


Mime
View raw message