Re: Solved! Re: Array for "In"?

Sat, 27 Sep 2003 03:03:22 -0700 

On 2003-09-27 01:53:46 -0700, Dave Anderson wrote:
> I can see where in some cases that might be useful, but as I mentioned 
> below the values are coming from the database in the first place. So 
> from that standpoint alone you are talking about a very low risk 
> exploit. I suppose that someone could build a form and enter bogus 
> values,

Yes, that was what I was thinking about. 

> but this script is on an intranet and I'm not too worried about 
> it

Ok, if you trust your users. If you don't trust them, a server on an
intranet is probably more endangered than a public one, because the
users have more ways to find out about internals (they probably know
which database you use, they may have access to the source code of your
scripts, etc.).

> since the DB is small and gets backed up periodically with a cron 
> job. The Oracle exp dump file is only about 40K and is expected to grow 
> slowly so I can afford to back up frequently.

Backups only help you if you discover the problem fast enough.

> From what you said I can imagine that a really determined hacker might 
> be able to nest an insert, delete, or update statement into one of the 
> queries, and I'd like to understand for future reference how to mitigate 
> this risk... Are you suggesting something like the following?
> 
> > $sql = "SELECT
> > ID,OWNER,BASEVERSION,PLATFORM,DATABASE,DBCHARSET,MIGAPPSERVER
> > FROM MASTERTABLE
> > WHERE ACTIVE LIKE $dbh->quote($qActive)
> > AND CUSTOMER IN ($dbh->quote($customerValueString))

No, that would then be expanded to something like

    AND CUSTOMER IN ('a,b,c')

which is not what you want. Just replace "'$_'" in buildValueStrings
with $dbh->quote($_):

> >>    grep($_ = "'$_'", @$a);
> >>    return join(",", @$a);

should be

    grep($_ = $dbh->quote($_), @$a);
    return join(",", @$a);

or (a bit more readable, IMHO):

    return join(',', map { $dbh->quote($_) } @$a);

[168 lines of quotes deleted - please don't include the whole thread
into your replies, just the parts you are directly referring to]

        hp

-- 
   _  | Peter J. Holzer      | Unser Universum w�re betr�blich
|_|_) | Sysadmin WSR / LUGA  | unbedeutend, h�tte es nicht jeder
| |   | [EMAIL PROTECTED]        | Generation neue Probleme bereit.
__/   | http://www.hjp.at/   |  -- Seneca, naturales quaestiones

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to