Subject: The mailing list for listmasters using Sympa
List archive
[sympa-users] Fwd: Database queries should use placeholders
- From: Mitar <address@concealed>
- To: address@concealed
- Subject: [sympa-users] Fwd: Database queries should use placeholders
- Date: Thu, 14 Jun 2012 23:48:14 +0200
Hi!
I am forwarding here because sympa-dev mailing list does not work.
Mitar
---------- Forwarded message ----------
From: Mitar <address@concealed>
Date: Thu, Jun 14, 2012 at 7:10 PM
Subject: Database queries should use placeholders
To: address@concealed
Hi!
I was debugging Sympa and I managed to get to lib/Bulk.pm code. And my
hair just went crazy. You are using sprintf and $dbh->quote to
construct database queries! This is very very bad practice. You should
be using placeholders! In this way database layer does not have to
quote and then database unquote data, there is no worries about
security and if everything was quoted perfectly, even more, statement
can be reused and only data to fill placeholders can be provided again
and again. This is very useful on bulk updates.
http://www.perlmonks.org/?node_id=7548
Furthermore, I am also attaching a patch for fixing a bug where Sympa
crashed on unsubscribe through web interface, because listname passed
was whole ref and not just listname string.
Mitar
Attachment:
listname.patch
Description: Binary data
-
[sympa-users] Fwd: Database queries should use placeholders,
Mitar, 06/14/2012
-
Re: [sympa-users] Fwd: Database queries should use placeholders,
David Verdin, 06/15/2012
-
[sympa-users] Possible race condition in bulk.pid handling,
John Kirkland, 06/19/2012
- Re: [sympa-users] Possible race condition in bulk.pid handling, David Verdin, 06/19/2012
-
[sympa-users] Possible race condition in bulk.pid handling,
John Kirkland, 06/19/2012
-
Re: [sympa-users] Fwd: Database queries should use placeholders,
David Verdin, 06/15/2012
Archive powered by MHonArc 2.6.19+.