Re: problem with redirect

Curtis Poe Sun, 16 Sep 2001 10:28:18 -0700
--- "FLAHERTY, JIM-CONT" <[EMAIL PROTECTED]> wrote:
> This is what my error log says on my redhat 7.1
> 
> [Sun Sep 16 13:18:33 2001] [error] 
> Undefined subroutine &main::redirect called at /var/www/cgi-bin/sobt/add.cgi
> line 38.
> 
> [Sun Sep 16 13:18:44 2001] [error] [client 192.168.1.8] Premature end of
> script
> 
> here is my code:
>
> $dbh =DBI ->connect($data_source, $username, $password); 
> my $sth1 = $dbh -> prepare("insert into
media(serial,name,desc1)values('$serial','$name','$desc1')");
> $sth1 -> execute ;
> #$sth1 -> finish;
> 
> 
> $dbh->disconnect;
> 
> ###############################################
> #  re direct page back
> ###############################################
> 
> print redirect('sobt_admin.cgi');

&redirect is one of the functions from CGI.pm.  If this is what you intended to use, 
you'll either
need to import it or declare an object and call it as a method:

    use CGI qw/:standard/;
    print redirect($someplace);

    # or #

    use CGI;
    my $q = CGI->new;
    print $q->redirect($someplace);

I'm extremely concerned about your variables.  You don't show yourself using the 
DBI::quote
method, so you could be potentially allowing a huge security hole if the data you're 
adding is
submitted by a user.  Quoting your data or using placeholders should prevent this 
security hole:

    my $sth1 = $dbh->prepare("insert into media (serial,name,desc1) values(?,?,?)");
    $sth1->execute( $serial, $name, $desc1 ) ;

    # or #

    $serial  = $dbh->quote( $serial );
    $name    = $dbh->quote( $name );
    $desc1   = $dbh->quote( $desc1 );
    my $sth1 = $dbh->prepare("insert into 
media(serial,name,desc1)values($serial,$name,$desc1)");

The reason this is a problem is that many databases allow you to execute multiple SQL 
statements
at once.  If someone puts a terminating quote mark followed by appropriate input data, 
they can
potentially execute arbitrary SQL against the database.  Again, placeholders or the 
$dbh->quote
method should prevent this.

Cheers,
Curtis "Ovid" Poe

=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/

__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with redirect

Reply via email to
