By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,996 Members | 1,193 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,996 IT Pros & Developers. It's quick & easy.

Insecure dependency while running with -T switch

P: 8
Hi friends,

I get a value from the html page using cgi->param function. Then i want to pass this value to access database. But it showing some error...I'll explain the details..

sub my_func {

my $id = cgi->param('id');
print "ID is $id"; //its works fine. value od id is 22

Now i want to pass this value to select the name of that id.

my $dbh = Bugzilla->dbh;
my $query = "select name from users where id != $id";
my $names = $dbh->selectrow_arrayref($query);

Here it's showing error:
undef error - Insecure dependency in parameter 1 of DBI::db=HASH(0xa8a628c)->selectrow_arrayref method call while running with -T switch

But when i give a integer value instead of $id in the query it's working fine.

Why the value of $id is not working with query??

Thanks in advance
Kokul
Jul 6 '07 #1
Share this Question
Share on Google+
2 Replies


KevinADC
Expert 2.5K+
P: 4,059
The -T switch is to save yourself from making a mistake that allows user input to do something that might be insecure. When you get the data from the form, that is user input, it comes from outside the program. When you put the value directly into the function yourself, it is not insecure because it comes from inside your program.

What you need to do is validate the user intput and then "untaint" it to make it secure:

Expand|Select|Wrap|Line Numbers
  1. my $id = cgi->param('id');
  2. if ($id =~ /^(\d+)$/) {
  3.    $id = $1;# <-- now $id comes from inside the program and is untainted
  4. }
  5. else {
  6.    print "Error: id is not a digit";
  7.    exit();
  8. }
see also:

http://gunther.web66.com/FAQS/taintmode.html
Jul 6 '07 #2

miller
Expert 100+
P: 1,089
Because $id is currently "tainted" and database operations are secured operations.
perldoc perlsec

You can do the following which will verify that $id is an integer:
Expand|Select|Wrap|Line Numbers
  1.     my $id = cgi->param('id') =~ m/(\d+)/ ? $1 : die "Invalid id";
  2.  
Or you could also look into see if using placeholders would allow you to use DBI will tained data. It might work, but I've never tested it.

Expand|Select|Wrap|Line Numbers
  1. my $sth = $dbh->prepare(q{SELECT name FROM users WHERE id!=?});
  2. $sth->execute($id) or die $dbh->errstr;
  3. my $names = $sth->fetchrow_arrayref($query);
  4.  
- Miller
Jul 6 '07 #3

Post your reply

Sign in to post your reply or Sign up for a free account.