Ponder the difference between

  my $name = $cgi->param('name');
  my $query = "INSERT ... VALUES($name)";
[download]

  my $name = $cgi->param('name');
  my $query = "INSERT ... VALUES("
              . dbi->quote($name)
              . ")";
[download]

Without seeing your code, I can only guess that you are not using the DBI module's quote() method. It escapes special characters so that they can be used in SQL properly. You might also want to look through the DBI manpage for placeholders, as they will perform quoting automatically.

sub doGetCGIvars {
    my $VarName;
    my $query = new CGI;
    foreach $VarName ($query->param) {
       $assign = "\$$VarName = '" . $query->param($VarName) . "'";
       &UnTaint($assign);
       eval($assign);
    }
}
[download]

$assign = "\$$VarName = \"" . $query->param($VarName) . '"';
[download]

--Jim

I'm sure that you realize that single-quotes aren't the only reason the above code is very, very bad. If, for example, someone were to figure out what you're doing, they could call your script like this:


script.cgi?x=1;system('rm%20-rf%20/etc/');print%20'gotcha!

This would eval (I think -- it's not tested), and do some potentially nasty things. I'm not devious enough to come up with something really nasty to do in a system call, but you get the idea... jpt

You are correct, although your example would not work as you intended, something along the lines of the following would:

script.cgi?x=' . system "any valid OS command here" . '
[download]

the eval of which would look like this:

$x = '' . system "any valid OS command here" . '';
[download]

In this particular case, the UnTaint would not find any "naughty" symbols we associate with usual system cracking attempts. My focus, however was to address the cause of the poster's immediate problem. The references to the other links and the warning I think were sufficient. In his CGI Course, Ovid addresses these and other security issues.

--Jim

 $ins = "INSERT INTO `items` (`category`, `itemid`, `description`, `lo
+ngdescription`, `size`, `o1n`, `o1o`, `o2n`, `o2o`, `o3n`, `o3o`, `c1
+n`, `c1v`, `c2n`, `c2v`, `c3n`, `c3v`, `price`, `small`, `large`)
        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
+?, ?)";

 $sth = $dbh->prepare("$ins") or die $dbh->errstr;
 $sth->execute(map(scalar param($_), qw(cat itemid des longdes size o1
+n o1o o2n o2o o3n o3o c1n c1v c2n c2v c3n c3v)),$price,$small,$large)
+ or die $dbh->errstr;
[download]

You're letting un-Taint-checked data into your database, though it should be correctly quoted. I hope you trust your users.

Your original problem statement is:

Well Im having a problem if a user fills out one of my forms and puts somethi g in quotes, and when that gets printed from the database everything beyond the quptes is whiped out, they dont even show up in txt fields.

Let's break this down. From what you've shown, quotes in a field should get correctly quoted on insert to the database. Have you verified that data is truncated once it's in the database? Assuming that the corrupted data is from the "description" field, what does   SELECT description FROM items WHERE itemid=? show, when you plug in the right itemid?

If it's correct in the database, then you've narrowed the search, and we can then start examining the path data takes on the way back from the database. E.g., If you're putting data that contains quotes into HTML edit controls, you'll need to entity-escape the data.

And please post your responses under the correct node. It makes the discussion easier to follow.