Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

CGI / DB / TT quick example 3 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Leo, There are numerous issues with this code
    1. You're not using taint
    2. You're placing stuff directly into a SQL statement from a parameter without quoting it first. This is essentially letting anyone execute arbitary SQL code on your server. Use taint.
    3. You've called the name of the variable you're outputting the template to $file, even though it's just a scalar. Why are you using this anyway...just print it to STDOUT by not having a third argument
    4. Your whitespace doesn't format the code very well.
    5. Y
    • Bad Leo, naught leo, no pie!!!!

      Some updates made, will look at rest soon, my brain has just decided to start thumping and turned to a pile of goo at the same time :(

      others

      1. Could use DBI plugin but didn't want to as I don't agree with it in the Template unless it's a quick hack.
      2. Guess so, but I'll leave it for now as I consider it just for debuging, though I guess a dodgy bit of user data could do something odd later.
      • 2. Guess so, but I'll leave it for now as I consider it just for debuging, though I guess a dodgy bit of user data could do something odd later.
        Yeah, you're leaving yourself open somewhat to a cross site scripting attack. Best to use an error template (if you're going to print out anything to the browser) and do a [% error.info | html %]
Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.