The mailing list for listmasters using Sympa

[David Verdin <address@concealed>]

Hi Mitar,

Thanks a lot for your pointers.
Actually, this is on our roadmap. We have refactorized the database code 
in Sympa 6.2 in order to use very few subs to do all our queries.
Especially, we have two subs :

- do_query, which does the queries the old way
- do_prepared_query, which use placeholders

For now, most queries use "do_query". We need to change calls and 
queries to generalize "do_prepared_queries" adn take advantage of the 
placeholders mechanism.

We'll do it ASAP, once we're done mergineg the different features of the 
new Sympa version.

Regards,

David

Le 14/06/12 23:48, Mitar a écrit :
> Hi!
>
> I am forwarding here because sympa-dev mailing list does not work.
>
>
> Mitar
>
> ---------- Forwarded message ----------
> From: Mitar<address@concealed>
> Date: Thu, Jun 14, 2012 at 7:10 PM
> Subject: Database queries should use placeholders
> To: address@concealed
>
>
> Hi!
>
> I was debugging Sympa and I managed to get to lib/Bulk.pm code. And my
> hair just went crazy. You are using sprintf and $dbh->quote to
> construct database queries! This is very very bad practice. You should
> be using placeholders! In this way database layer does not have to
> quote and then database unquote data, there is no worries about
> security and if everything was quoted perfectly, even more, statement
> can be reused and only data to fill placeholders can be provided again
> and again. This is very useful on bulk updates.
>
> http://www.perlmonks.org/?node_id=7548
>
> Furthermore, I am also attaching a patch for fixing a bug where Sympa
> crashed on unsubscribe through web interface, because listname passed
> was whole ref and not just listname string.
>
>
> Mitar

Attachment: smime.p7s
Description: Signature cryptographique S/MIME