A minor update has been posted. Changes are noted in the readme. MarzQL 1.1.0 _________________ Check out Botworld! A dev resource for things bot.
Downloads, articles, news, fourm and more.
http://botworld.marzopolis.com
Joined: 03 May 2006 Posts: 2292 Location: Colorado
Posted: Mon Feb 07, 2005 6:55 am Post subject:
QUOTE(alienz @ Feb 3 2005, 03:06 PM)
Ok, but wouldn't injection only be bad if say, someone else could put them in?
True. I assume however that you expect your code to be used by new people to programming. If so then not letting them use placeholders effectively teaches them not to. What if they do something like
Code:
<br />if ($msg =~ /find user (.*)/) {<br /> my $user = $db->select("SELECT * FROM users where user_name = $1");<br />}<br />
You now have a gapping security whole. Granted it might not be your modules job to baby sit programmers, but adding a small amount of code to the module could get new users the following code instead.
Code:
<br />if ($msg =~ /find user (.*)/) {<br /> my $user = $db->select("SELECT * FROM users where user_name = ?", $1);<br />}<br />
Such a minor change encourages the learning of good practices and greatly enhances the security of the code. _________________ Eric256
Proud previous owner and current admin of Bot-depot.com
I've been working on using placeholders. I've managed to be able to pass the SQL statement with the placeholder and the values it needs, but then it keeps telling me the query fields don't match the number of fields on execution. Blah. This occurs when I try to send two values with placeholders, which was my first test..I haven't gotten any further yet because of some other things.
As for the injection, you have a good point. Currently it's best to use this module internally, where you control the values being sent and not the user. However, I personally haven't even found a reason for allowing users to introduce any values to the database yet. The majority of the db interaction is internal to the bot. So...if you're using this module, please be aware of SQL injection! Don't allow users the ability to introduce their own values to the db. Once I have the code in place for using placeholders, this will be fixed. _________________ Check out Botworld! A dev resource for things bot.
Downloads, articles, news, fourm and more.
http://botworld.marzopolis.com
Joined: 19 Jul 2004 Posts: 556 Location: Los Angeles, CA votes: 1
Posted: Tue Feb 08, 2005 3:15 am Post subject:
I think the point eveone is trying to make here, is that this module is rather pointless sence you just basically pass in sql statements anyways. Maybe you should just write a toturial on how to use mysql instead of waisting your time on this. It really does nothing new.
you have 6 subs that do exactly the same thing (take the sql statemsnt and run it) altertable, drop, create, delete, update, insert
when it could be done with one DO call: $dbh->do("CREATE TABLE foo (id INTEGER, name VARCHAR(20))"); _________________ [ matt ]
I think the point eveone is trying to make here, is that this module is rather pointless
You are the first I've seen that says it's pointless, the other posts have been suggestions and constructive criticism. Besides passing the SQL, it also has some good error/debugging info and does profiling, so it does have a point. _________________ Check out Botworld! A dev resource for things bot.
Downloads, articles, news, fourm and more.
http://botworld.marzopolis.com
Update- This is version 2.0.0 of MarzQL. Several major changes have been done. The methods now all build the SQL for you, so instead of just passing the statement to them you pass a hashref of things like the table name, fields, etc. Where variables are supplied the methods now use placeholders. You can pass an array of values to be executed. Some you can pass the number of placeholders, others are fixed. View the examples in the readme for more. Here's a peek at one:
Code:
my @values = ("value",);<br /> my $database = {'table' =>'tablename', 'fields' =>'fieldnames', 'placeholders' =>'?'};<br /> $db->insert($database,@values);
Changes in this version include: All methods now build the SQL statement and take placeholders where needed. Database info now passed as a hashref. Methods ALTER and CREATE renamed to ALTER_TABLE and CREATE_TABLE. Added new methods SELECT_WHERE, UPDATE_WHERE. Updated the readme.
NONE of the previous methods are depreciated, although they could be if there was enough of a demand.
Get it at the link in the beginning of the thread or here: MarzQL Module _________________ Check out Botworld! A dev resource for things bot.
Downloads, articles, news, fourm and more.
http://botworld.marzopolis.com
User Control Panel
