First off, Thanks to Jenda and Wiggins for their quick response. I have found the answer to my question in Jenda's help (the missing "'"'s)
Sorry for not being more specific earlier it has been a hectic day here :) This page is on a internal server that 3 people have access to. (myself and 2 others) Making this ultra secure is not a big deal at this point. The way this is built is there is one cgi script (radius.cgi) that all this is in, and they are reference by subroutine via the 'action' parameter. The $self variable is a variable that points back to this script (so $self?action=remove would get me to http://<insert_url_here>/radius.cgi?action=remove ) Is easier to use a variable like that than to type out the other. There may be better ways to do that but, hey, this works and im a perl beginner :). That being said (even though it may not have been necessary), can I get a link to a good description of the object oriented syntax if one exists? I know I can do a perldoc and find what it does and how to use it, but the variable names confuse me. (i.e.: $sth etc) I'm sure I could understand it alot better if someone (or a webpage) could explain it to me, the documentation just tells you how to use it, but I need to know what it means :). Thanks ahead of time. Dave Kettmann NetLogic 636-561-0680 > -----Original Message----- > From: Jenda Krynicky [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 01, 2004 3:02 PM > To: Perl List (E-mail) > Subject: Re: Is my DB code bad? > > > From: "Dave Kettmann" <[EMAIL PROTECTED]> > > I have a web page I am working on to delete an entry out of a > > database. If I take the syntax in the perl script and paste > it into a > > mysql query, and substitute the variable for a value that exists in > > the database, it will delete the entry. If I run it thru > the web page, > > I dont get an error, it says it worked ok and I get no errors. The > > remove subroutine calls the removemac subroutine. Here is the code: > > > > --- CODE --- > > > > sub remove { > > my $delmac; > > > > print "<h3 align=center> Delete MAC </h3>"; > > > > print "<h4 align=center> Careful! Make sure you > know what you > > are doing! > > </h4>"; > > > > return <<FRM; > > <center> > > <form action="$self" method="post"> > > <input type="hidden" name="action" > value="removemac"> MAC > > Address to remove: <input type="text" name="delmac"> > > <input type="submit" value="Delete MAC"> > > </form> > > </center> > > FRM > > > > } > > > > sub removemac { > > my $user = param('delmac'); > > > > print $user; > > > > my $query = "DELETE FROM passwd WHERE user_name=$user LIMIT > > 1"; > > my $sth = $dbh->prepare($query) || &db_err("Cannot prepare > > $query <P> \n > > :" . $dbh->errstr . "\n"); > > > > $sth->execute || &db_err("Cannot execute $query <P> \n:" . > > Wow. Where's this so that I can delete your database? ;-) > > Let me ask you something. what do you think happens if someone enters > something like this into the delmac inputbox: > > 1; delete from passwd; > > Well quite likely you get your table wiped out. > You need to be carefull with stuff you put into SQL! > > > 1) You need to validate the data you get from the outside world. > 2) you need to enclose strings in singlequotes in SQL: > > DELETE FROM passwd WHERE user_name='$user' LIMIT 1 > > 3) You need to make sure special characters (if your validation > allowed them are properly quoted/escaped: > > my $query = "DELETE FROM passwd WHERE user_name='" > . $dbh->quote($user) . "' LIMIT 1"; > > but even better is to not interpolate the data into the query at all > and use placeholders: > > my $query = "DELETE FROM passwd WHERE user_name = ? LIMIT 1"; > my $sth = $dbh->prepare($query) > || &db_err("Cannot prepare $query <P> \n:" . > $dbh->errstr . "\n"); > > $sth->execute($user) > || &db_err("Cannot execute $query <P> \n:" . > $dbh->errstr . "\n"); > > Jenda > ===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz ===== > When it comes to wine, women and song, wizards are allowed > to get drunk and croon as much as they like. > -- Terry Pratchett in Sourcery > > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > <http://learn.perl.org/> <http://learn.perl.org/first-response> > > > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
