Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??

It's incredible how often this comes up in one form or another. Actually it's always just a variation on the same form; someone is passing malformed SQL to their database, with the solution being either use placeholders (bind values) or proper SQL quoting.

Two weeks ago a "friend" (the kind whom I hear from when he's got a programming problem, but not otherwise) called me. The call goes something like this:

"Dave, I have a PHP web application where people are able to select songs to sample, but whenever the song they select has a quote or apostrophe in the name, the application crashes."

Now I hate working with PHP, and never even bother looking for PHP jobs to do, but I'm too soft with old friends.

"It sounds like you've got a problem with how you're passing SQL to your database. Where did you get this application? You should be aware that if you're accepting song names via a web page and they are being incorporated into your SQL, you're open to SQL injection attacks. Even if you are validating your input with JavaScript, or some other client-side means, you're still open to attack since a malicious user could just form his own HTTP request that bypasses your client-side safeguards."

So next thing I know I've got a 400 line PHP program in my inbox. I found 65 places within the spaghetti code written by some freelancer in Ukraine where he was passing unescaped SQL to the database that contained user input. The quick solution was to quote it properly (PHP oddly has a different quoting function for every database flavor). That's the free solution he got from me. It should have been rewritten with bind values, but that would have taken longer, and I didn't hear any offer to employ me. Besides, I don't really want to invest more time in brushing up on PHP.

I don't know what more can be done to save people from themselves. Discussion on proper quoting and the use of some form of placeholders can easily be found in Perl's DBI documentation, and for those PHP kiddies, PHP's documentation of dealing with databases also discusses it. People are learning Perl and PHP somewhere. I wonder what source they're using that teaches them database access without discussing this important issue.


Dave

In reply to Re: Variable interpolation in a file to be read in by davido
in thread Variable interpolation in a file to be read in by tapolyaip

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others musing on the Monastery: (4)
As of 2024-04-23 23:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found