Hi Ovid, Ovid wrote on 11.02.2005:
>Hi Jan, > >Apologies in advance if any of this seems too pedantic. > I was asking for pedantic remarks. ;-) >What you are essentially looking for is SQL capable of handling tree >structures so you can pull this data in a single fetch. You can >read about this in Joe Celko's SQL for Smarties or (more >specifically) Joe Celko's Trees and Hierarchies in SQL for Smarties. > Thanks! You're right, that's what I was looking for. >First, you'll notice that I pass in $dbh and $page_hash. Good >subroutines are frequently treated like black boxes. They accept >information and they give a response. In your subroutine, it's >almost there, but it relies on $dbh and $page_hash being declared >globally. If those ever get munged, it can be quite difficult to >track down the error. Plus, if you reuse this code elsewhere, it's >harder to do if those are global. > Agreed. I actually know and follow that guideline. The code I posted was not yet fine tuned and complete. >The more serious problem, though, was how you were using >selectrow_array. My guess, from how your form was set up, is that >$mutterid was being passed in from the form. If you've carefully >untainted it, it's probably OK to use it the way you were, but it's >still a tripwire for further maintenance and possibly a serious >security hole due to having it embedded directly in the SQL. This >leaves the code vulnerable to an SQL injection attack >(http://www.unixwiz.net/techtips/sql-injection.html). Oh, that should not be an issue - $mutterid does not come from a user, but is pulled from the database itself. Besides, I use the taint mode all the time and should be notified when I use untainted variables. >I've converted the code to use bind values to prevent this security >problem. See "perldoc DBI" and read the section entitled >"Placeholders and Bind Values". > That's right, I should've done taken that measure anyway. Thanks again for your hints! Have a great day, Jan -- There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence. - Jeremy S. Anderson -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
