Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re^3: untainting or encoding for shelled sqlplus update

by Herkum (Parson)
on May 15, 2008 at 19:22 UTC ( [id://686799]=note: print w/replies, xml ) Need Help??


in reply to Re^2: untainting or encoding for shelled sqlplus update
in thread untainting or encoding for shelled sqlplus update

You don't know how much code he would have to refactor to make it all usable in DBI. It might be a day's worth of work, or a month.

Creating a DBI handle will only take a few minutes and can be a test account. This is certainly easier, for a quick fix, than rewriting the whole thing to use DBI.

  • Comment on Re^3: untainting or encoding for shelled sqlplus update

Replies are listed 'Best First'.
Re^4: untainting or encoding for shelled sqlplus update
by runrig (Abbot) on May 15, 2008 at 19:42 UTC
    Perhaps true...though if there is a lot of code, it's going to be a lot of work no matter what (not just creating "a DBI handle"). I imagine theres a lot of code with interpolated varables, e.g.
    my $sql = <<EOT
select blah, blahblah
from blah_etc
where foo = '$bar'
EOT

    [download]
    For the least amount of work, I might use something like Interpolate and turn that in to something like:
    my $sql = <<EOT
select blah, blahblah
from blah_etc
where foo = $quote{$bar}
EOT

    [download]
    (with %quote properly defined through Interpolate)

    But even that is a lot of tedious work if there is a lot of SQL to change. I could be wrong, but I don't think it would be much more work to just go ahead and use DBI to execute the SQL and return results.

[reply]
[d/l]
[select]

      I've been looking at Interpolate. How would that take care of bad characters in $bar in your example?

      #my sig used to say 'I humbly seek wisdom. '. Now it says:
      use strict;
      use warnings;
      I humbly seek wisdom.
[reply]
        Start with what Herkum suggests above. Make one database handle. But then create a function that (maybe untaints the data and then) calls $dbh->quote() on its argument and returns the results, then use Interpolate to tie a hash to that function. Or, don't use DBI, and just wing it to create your own escaping function.
[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://686799]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others rifling through the Monastery: (2)
As of 2024-04-26 01:00 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found