Mailing List Archive

Re: [wellwell/interchange6: 1/5] uid is not guaranteed to be numeric, so quote it
On 03/03/17 20:53, Stefan Hornburg wrote:
> - $set = $db_carts->query(q{select code from carts where name = '%s' and uid = %s},
> + $set = $db_carts->query(q{select code from carts where name = '%s' and uid = '%s'},
> $name, $uid);

Can we not quote properly here to avoid SQL injection?

$set = $db_carts->query(q{select code from carts where name = %s and uid
= %s}, $db_carts->quote($name), $db_carts->quote($uid));


Peter

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: [wellwell/interchange6: 1/5] uid is not guaranteed to be numeric, so quote it [ In reply to ]
On 03/03/2017 09:47 AM, Peter wrote:
> On 03/03/17 20:53, Stefan Hornburg wrote:
>> - $set = $db_carts->query(q{select code from carts where name = '%s' and uid = %s},
>> + $set = $db_carts->query(q{select code from carts where name = '%s' and uid = '%s'},
>> $name, $uid);
>
> Can we not quote properly here to avoid SQL injection?
>
> $set = $db_carts->query(q{select code from carts where name = %s and uid
> = %s}, $db_carts->quote($name), $db_carts->quote($uid));
>
>
> Peter

Hello Peter,

thanks for your code review & vigilance.

Fixed in 9246736ea974230526225e1bbd244a4f7dcff91a.

Regards
Racke


--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration.

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users