From: "Dave Kettmann" <[EMAIL PROTECTED]>
> I have a web page I am working on to delete an entry out of a
> database. If I take the syntax in the perl script and paste it into a
> mysql query, and substitute the variable for a value that exists in
> the database, it will delete the entry. If I run it thru the web page,
> I dont get an error, it says it worked ok and I get no errors. The
> remove subroutine calls the removemac subroutine. Here is the code:
>
> --- CODE ---
>
> sub remove {
> my $delmac;
>
> print "<h3 align=center> Delete MAC </h3>";
>
> print "<h4 align=center> Careful! Make sure you know what you
> are doing!
> </h4>";
>
> return <<FRM;
> <center>
> <form action="$self" method="post">
> <input type="hidden" name="action" value="removemac"> MAC
> Address to remove: <input type="text" name="delmac">
> <input type="submit" value="Delete MAC">
> </form>
> </center>
> FRM
>
> }
>
> sub removemac {
> my $user = param('delmac');
>
> print $user;
>
> my $query = "DELETE FROM passwd WHERE user_name=$user LIMIT
> 1";
> my $sth = $dbh->prepare($query) || &db_err("Cannot prepare
> $query <P> \n
> :" . $dbh->errstr . "\n");
>
> $sth->execute || &db_err("Cannot execute $query <P> \n:" .
Wow. Where's this so that I can delete your database? ;-)
Let me ask you something. what do you think happens if someone enters
something like this into the delmac inputbox:
1; delete from passwd;
Well quite likely you get your table wiped out.
You need to be carefull with stuff you put into SQL!
1) You need to validate the data you get from the outside world.
2) you need to enclose strings in singlequotes in SQL:
DELETE FROM passwd WHERE user_name='$user' LIMIT 1
3) You need to make sure special characters (if your validation
allowed them are properly quoted/escaped:
my $query = "DELETE FROM passwd WHERE user_name='"
. $dbh->quote($user) . "' LIMIT 1";
but even better is to not interpolate the data into the query at all
and use placeholders:
my $query = "DELETE FROM passwd WHERE user_name = ? LIMIT 1";
my $sth = $dbh->prepare($query)
|| &db_err("Cannot prepare $query <P> \n:" . $dbh->errstr . "\n");
$sth->execute($user)
|| &db_err("Cannot execute $query <P> \n:" . $dbh->errstr . "\n");
Jenda
===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz =====
When it comes to wine, women and song, wizards are allowed
to get drunk and croon as much as they like.
-- Terry Pratchett in Sourcery
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
