Re: Can't call method "prepare" on an undefined value

Wed, 31 Jan 2007 02:04:05 -0800

Please delete that script NOW, it is EXTREMLY INSECURE. There are at least THREE ways to compromise the database, the webserver and to send arbitary mails. It lacks all kinds of error checks, as you have seen yourself. The code is written in a way that makes it very hard to detect accidentally included errors. Get rid of Oraperl, home-grown CGI code, and Perl 4 function calls. Enable strict, warnings, and taint mode.
My offer still exists: If you need assistance in making the script work securely, using taint mode, CGI and DBI methods, contact me via e-mail. I don't want any money for it, I just want to get this piece of horror out of this world. I would also do this on the dbi-users mailing list, but it will become off-topic very soon, so let's do it via e-mail. 


Nevertheless, you load the Oracle client libraries in the line "use 
Oraperl;", this happens at COMPILE TIME of the script. You modify the 
environment (%ENV) at RUN TIME, when the Oracle client libraries have 
already been initialised without the missing environment variables.



The recommended way to set the environment variables is to make the 
webserver (probably Apache, probably included with Oracle) set the 
environment variables before your script is actually run. With Apache, 
set the variables for the Apache run account and use the PassEnv 
directive (http://httpd.apache.org/docs/1.3/mod/mod_env.html#passenv) or 
set the variables inside Apache using SetEnv 
(http://httpd.apache.org/docs/1.3/mod/mod_env.html#setenv). This way, 
you have to change the Oracle environment variables only at one place, 
httpd.conf, and not in each and every CGI.



There are ways to modify the environment at compile time, but I refuse 
to tell you how it is done. Unless done right, it would cause even more 
pain to you, and it would not help making that script more secure. (Not 
that the Apache way would make the script secure in any way, but it 
makes it a little bit more maintainable.)


Alexander

Chong, Wei-Ling wrote:

Hi,


 


The error happen on the line to connect to that database:

$lda = &ora_login('','[EMAIL PROTECTED]','dlbest')


 


If I add "or die $ora_errstr" on the same line, it returns error below:

$lda = &ora_login('','[EMAIL PROTECTED]','dlbest') or die $oraerrstr;


 


(UNKNOWN OCI STATUS 1804) OCIInitialize. Check ORACLE_HOME and NLS
settings etc.

 at /oracle/app/http/dl/web/cgi/eppcd/ppcd_approval_ora.pl line 33.


 


I have set ORACLE_HOME and NLS env string on top of the perl script, but
still getting the same error.

This script is working fine I located the script in same server as the
database.


 


Please help.

Thanks a lot.


 

 

 

 


________________________________


From: Reidy, Ron [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 31, 2007 12:19 AM

To: Chong, Wei-Ling; [email protected]
Subject: RE: Can't call method "prepare" on an undefined value


 


Chong,


 


I am not a web programmer, but I see some things I would definitely fix
in your program:


 


1.      You should always 'use strict;' and 'use warnings;' - it will
help you find things like this.
2.      You should always check your statement handles after all calls
(ora_open()).
3.      You should always use bind variables to avoid SQL injection.
4.      Line #92 looks suspicious to me - shouldn't there be two "\n"
characters to avoid the "premature end of script headers" error (see
http://htmlfixit.com/cgi-tutes/tutorial_Common_Web_dev_error_messages_an
d_what_they_mean.php)?


 


--

Ron Reidy


Lead DBA 


Array BioPharma, Inc.


 

 

 


________________________________


From: Chong, Wei-Ling [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 30, 2007 3:23 AM

To: [email protected]
Subject: Can't call method "prepare" on an undefined value


 


Hi, I have one oracle database located at server A and setup the Oracle
HTTP Server at Server B. Both server are Solaris server. I have
installed DBI and DBD into Server B and setup the oraperl in my perl
script.

When I run the perl script, I am getting error:


 

 


Can't call method "prepare" on an undefined value at
/oracle/app/http/product/OA

S10.1.2.0.2/perl/lib/site_perl/5.6.1/sun4-solaris/Oraperl.pm line 121.

[Tue Jan 30 16:39:26 2007] [error] [client 165.204.172.185] [ecid:
1170146365:16

5.204.178.123:1213:0:7,0] Premature end of script headers:
/oracle/app/http/dl/w

eb/cgi/eppcd/ppcd_approval_ora.pl


 


It works fine when the oraperl is located same server as the database. I
search through internet and it might due to connection string problem. I
am able to sqlplus to this database in Server B: sqlplus
[EMAIL PROTECTED]


 


Attached is my perl script. Is there any error on my oraperl code?


 


Please help, very appriate.

Thanks.


 


Best Regards,

Chong


 


________________________________

This electronic message transmission is a PRIVATE communication which

contains information 
which may be confidential or privileged. The information is intended to
be for the use of the individual 
or entity named above. If you are not the intended recipient, please be
aware that any disclosure, 
copying, distribution or use of the contents of this information is
prohibited. Please notify the sender 
of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), 
and then delete it from your system.




  


--
Alexander Foken
mailto:[EMAIL PROTECTED]  http://www.foken.de/alexander/























					Reply via email to