Re: Can't call method "prepare" on an undefined value

Tue, 30 Jan 2007 05:41:10 -0800

Somehow you managed to have an undefined value instead of a DBI database handle in front of ->prepare, which is burried deep inside Oraperl.pm.
Please insert "use strict;" between the first line and the first line of code, and change the first line to "#!/usr/local/bin/perl -w". This will enable perl warnings and strict code checks. Remove all warnings and errors reported by strict and -w, then run your code again. Remove the & signs in front of function calls, this is Perl 4 style and has some undesirable side effects on Perl 5. 


Looking at some more details, I see some problems with CGI parameters 
from the QUERY_STRING and other CGI issues. Consider using the CGI 
module instead of fiddling with environment variables. Consider using 
DBI objects instead of ora_xxx functions. Consider enabling taint mode 
(add -T to the first line).



At least $ppcd_id is vulnerable to SQL injection, allowing to read, 
perhaps also modify and delete data from the database.



At least $ppcd_no and $add_id are vulnerable to remote command 
execution, at least in the context of the CGI/Webserver user. They can 
also be (ab)used to send arbitary mails to arbitary recipients.



Personally, I would recommend to delete this script as soon as possible 
and rewrite it using CGI, DBI and traint mode. Feel free to contact me 
via email if you need help.


Alexander Foken


On 30.01.2007 11:23, Chong, Wei-Ling wrote:



Hi, I have one oracle database located at server A and setup the 
Oracle HTTP Server at Server B. Both server are Solaris server. I have 
installed DBI and DBD into Server B and setup the oraperl in my perl 
script.


When I run the perl script, I am getting error:


 

 

Can't call method "prepare" on an undefined value at 
/oracle/app/http/product/OA


S10.1.2.0.2/perl/lib/site_perl/5.6.1/sun4-solaris/Oraperl.pm line 121.


[Tue Jan 30 16:39:26 2007] [error] [client 165.204.172.185] [ecid: 
1170146365:16



5.204.178.123:1213:0:7,0] Premature end of script headers: 
/oracle/app/http/dl/w


eb/cgi/eppcd/ppcd_approval_ora.pl


 

It works fine when the oraperl is located same server as the database. 
I search through internet and it might due to connection string 
problem. I am able to sqlplus to this database in Server B: sqlplus 
[EMAIL PROTECTED]



 


Attached is my perl script. Is there any error on my oraperl code?


 


Please help, very appriate.

Thanks.


 


Best Regards,

Chong


 




--
Alexander Foken
mailto:[EMAIL PROTECTED]  http://www.foken.de/alexander/























					Reply via email to