Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re: Variable interpolation in a file to be read in

by davido (Cardinal)
on Oct 06, 2011 at 17:09 UTC ( #930021=note: print w/replies, xml ) Need Help??

in reply to Variable interpolation in a file to be read in

It's incredible how often this comes up in one form or another. Actually it's always just a variation on the same form; someone is passing malformed SQL to their database, with the solution being either use placeholders (bind values) or proper SQL quoting.

Two weeks ago a "friend" (the kind whom I hear from when he's got a programming problem, but not otherwise) called me. The call goes something like this:

"Dave, I have a PHP web application where people are able to select songs to sample, but whenever the song they select has a quote or apostrophe in the name, the application crashes."

Now I hate working with PHP, and never even bother looking for PHP jobs to do, but I'm too soft with old friends.

"It sounds like you've got a problem with how you're passing SQL to your database. Where did you get this application? You should be aware that if you're accepting song names via a web page and they are being incorporated into your SQL, you're open to SQL injection attacks. Even if you are validating your input with JavaScript, or some other client-side means, you're still open to attack since a malicious user could just form his own HTTP request that bypasses your client-side safeguards."

So next thing I know I've got a 400 line PHP program in my inbox. I found 65 places within the spaghetti code written by some freelancer in Ukraine where he was passing unescaped SQL to the database that contained user input. The quick solution was to quote it properly (PHP oddly has a different quoting function for every database flavor). That's the free solution he got from me. It should have been rewritten with bind values, but that would have taken longer, and I didn't hear any offer to employ me. Besides, I don't really want to invest more time in brushing up on PHP.

I don't know what more can be done to save people from themselves. Discussion on proper quoting and the use of some form of placeholders can easily be found in Perl's DBI documentation, and for those PHP kiddies, PHP's documentation of dealing with databases also discusses it. People are learning Perl and PHP somewhere. I wonder what source they're using that teaches them database access without discussing this important issue.


  • Comment on Re: Variable interpolation in a file to be read in

Replies are listed 'Best First'.
Re^2: Variable interpolation in a file to be read in
by tapolyaip (Initiate) on Oct 06, 2011 at 18:01 UTC

    Dave, I appreciate your concern on the code quality. Perhaps, I haven't made it clear that the code was a skeletal program, in other words a quick "look and see" about the variables that I need to work with. The program was quickly written up so I don't need to keep explaining what I wanted to do and is in no form part of the "real" program

    Another point I'd like to make is that the file containing sqls could easily be just a lot of text of some kind where you have to have some variables placed. So in light of the question posted, along with the sample code, there is no unsanitized sqls passed to the dabase for execution. There is not even a single database connecion in the sample code, in fact DBI is not even called here.

    So if I can paraphrase the original question: I read in a file that contains text and some perl variables. The text is split into records into a hash. How can display the hash values so they interpolate the variables into the text?

      " in a file that contains text and some perl variables."
      Just don't do that. :-) Use a template system e.g. HTML::Template*. That is, imo, the best way to go for that part of your problem.

      But it still leaves you with the next problem you'll have and which experienced monks are warning you about: quoting SQL properly. For that, placeholders are the way to go.

      * Don't worry about the HTML part of the name, it is, again imo, a handy templating system. Of course there are many others. It is just one that I am very familiar with.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://930021]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (2)
As of 2022-08-19 23:00 GMT
Find Nodes?
    Voting Booth?

    No recent polls found