[Cgi-session-user] Re: [rt.cpan.org #18578] Possible SQL injection attack

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

CGI::Session 4.12 has been uploaded to address the following.

I tested it with SQLite and PostgreSQL 8.0. If there is a problem with
MySQL, it should fail when you run the test suite.

	Mark

On Fri, Apr 07, 2006 at 08:34:38AM -0400, ma...@su... via RT wrote:
> 
> On Thu, Apr 06, 2006 at 05:54:07PM -0400, Guest via RT wrote:
> > 
> > woudl be better done with place holders or $dbh->quote (and maybe the
> > return value could be more more meaningful and safe)
> > 
> > sub remove {
> >     my $self = shift;
> >     my ($sid) = @_;
> >     croak "remove(): usage error" unless $sid;
> > 
> >     my $sql = sprintf(");
> >     my $rc = $self->{Handle}->do(
> >         'DELETE FROM' 
> >         . $self->{Handle}->quote($self->table_name)
> >         . ' WHERE id='  
> >         . $self->{Handle}->quote($sid)
> >     );
> > 
> >     # do(DELETE) usually returns 0 even thouh it worked do or croak()
> > could cause problems...
> >     croak "remove(): \$dbh->do failed!" if $rc eq '0E0';
> > 
> >     # maybe not croak and return ??
> >     return $rc eq 'E0E' ? 0 : 1;
> > }
> 
> Good idea. We'll work something like this in. 
> 
> I think the 'id' is the field to be concerned most about, as the table
> name is controlled by the module user. 