473,383 Members | 1,725 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > perl > questions > insecure dependency while running with -t switch

Join Bytes to post your question to a community of 473,383 software developers and data experts.

Insecure dependency while running with -T switch

8
Hi friends,

I get a value from the html page using cgi->param function. Then i want to pass this value to access database. But it showing some error...I'll explain the details..

sub my_func {

my $id = cgi->param('id');
print "ID is $id"; //its works fine. value od id is 22

Now i want to pass this value to select the name of that id.

my $dbh = Bugzilla->dbh;
my $query = "select name from users where id != $id";
my $names = $dbh->selectrow_arrayref($query);

Here it's showing error:
undef error - Insecure dependency in parameter 1 of DBI::db=HASH(0xa8a628c)->selectrow_arrayref method call while running with -T switch

But when i give a integer value instead of $id in the query it's working fine.

Why the value of $id is not working with query??

Thanks in advance
Kokul
Jul 6 '07 #1
2 5428
KevinADC
4,059 Expert 2GB
The -T switch is to save yourself from making a mistake that allows user input to do something that might be insecure. When you get the data from the form, that is user input, it comes from outside the program. When you put the value directly into the function yourself, it is not insecure because it comes from inside your program.

What you need to do is validate the user intput and then "untaint" it to make it secure:

Expand|Select|Wrap|Line Numbers
  1. my $id = cgi->param('id');
  2. if ($id =~ /^(\d+)$/) {
  3.    $id = $1;# <-- now $id comes from inside the program and is untainted
  4. }
  5. else {
  6.    print "Error: id is not a digit";
  7.    exit();
  8. }
see also:

http://gunther.web66.com/FAQS/taintmode.html
Jul 6 '07 #2
miller
1,089 Expert 1GB
Because $id is currently "tainted" and database operations are secured operations.
perldoc perlsec

You can do the following which will verify that $id is an integer:
Expand|Select|Wrap|Line Numbers
  1.     my $id = cgi->param('id') =~ m/(\d+)/ ? $1 : die "Invalid id";
  2.  
Or you could also look into see if using placeholders would allow you to use DBI will tained data. It might work, but I've never tested it.

Expand|Select|Wrap|Line Numbers
  1. my $sth = $dbh->prepare(q{SELECT name FROM users WHERE id!=?});
  2. $sth->execute($id) or die $dbh->errstr;
  3. my $names = $sth->fetchrow_arrayref($query);
  4.  
- Miller
Jul 6 '07 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

4
Running insecure python code
by: Noen | last post by:
Im developing a game where the players will program their equipment with python. Are there any ways to run insecure code? I dont want the clients to mess with the server-code through their own...
Python
0
Help untaining the command. Insecure dependency in `` ... setuid
by: danpres2k | last post by:
Hi, I have following statements @filename = split("_", $cgi->param ('filename')); //similar multiline code $env_profile = $cgi->param ('env_profile'); $command = "/app/ics/bin/$input_app...
Perl
12
Dependency Inversion Principle Dilemma
by: Thomas Matthews | last post by:
Hi, According to Robert Martin's Dependency Inversion Principle, http://www.objectmentor.com/resources/articles/dip.pdf, when there is a need to test the type of an object, the code inside the...
C / C++
0
Warning: Unable to find dependency 'mscorlib' (Signature='B77A5C561934E089' Version='1.0.5000.0')
by: Michael R. Pierotti | last post by:
Has anyone seen this error before when trying to make the install on a program. ------ Starting pre-build validation for project 'HafaSMPPInstall' ------ WARNING: Unable to find dependency...
Visual Basic .NET
8
eval() is insecure, but what are the alternatives?
by: werner | last post by:
Hi! I don't want to use eval() in order to parse a user-supplied formula. What alternatives do I have? PHP has no standard functionality for tokenizing or parsing expressions in this regard. ...
PHP
0
perl "Insecure dependency in `` while running setuid"
by: 123jainmin | last post by:
When I ran a perl script named script.pl which have the the follwing line: system("echo hostname = $HOSTNAME > /tmp/myinfo"); I have another shell script script.ksh which simply call script.pl...
Perl
6
Hardcoding database primary key in switch statement / Design, Dependency issue
by: asadikhan | last post by:
Hello, I have a bit of a design issue around this application I am developing, and I just want to run it through some of the brains out here. So I have a table called ErrorCheck which...
C# / C Sharp
6
Insecure dependency in `` while running with -T switch at
by: kokul | last post by:
Dear Friends, I want to take multi lines from a text box in the webpage and pass to my script which saves this into a database. I wrote code like this my $desc = $cgi->param('comment'); ...
Perl
1
Does the SQL Server 2005 CommandNotification cache dependency workwith stored procedures?
by: dherbstemail-ng | last post by:
I can get the SQL Server 2005 CommandNotification cache dependency to work with inline SQL. It works in a SqlDataSource as well as with the page OutputCache when making ADO.NET calls. Next I...
ASP.NET
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!