Changeset 2319
- Timestamp:
- 11/29/09 20:18:59 (2 years ago)
- Location:
- Sort-SQL/trunk
- Files:
-
- 3 edited
-
Changes (modified) (1 diff)
-
lib/Sort/SQL.pm (modified) (2 diffs)
-
t/02-sql-injection.t (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
Sort-SQL/trunk/Changes
r2301 r2319 25 25 that match \W 26 26 27 0.08 29 Nov 2009 28 - fix regex in SQL-injection filter from 0.07 to allow table 29 prefixes on column names. 30 -
Sort-SQL/trunk/lib/Sort/SQL.pm
r2301 r2319 5 5 use vars qw( $VERSION ); # for version 5.005... 6 6 7 $VERSION = '0.07'; 7 $VERSION = '0.08'; 8 9 my $debug = $ENV{PERL_DEBUG} || 0; 8 10 9 11 sub parse { … … 16 18 while ( my ( $prop, $dir ) = splice( @s, 0, 2 ) ) { 17 19 18 next if $prop =~ m/\W/; # avoid sql injection 20 $debug and warn sprintf( "prop='%s' dir='%s'\n", $prop, $dir || '' ); 21 22 next if $prop =~ m/[^\.\w]/; # avoid sql injection 19 23 20 24 if ( !defined $dir ) { -
Sort-SQL/trunk/t/02-sql-injection.t
r2302 r2319 1 1 use strict; 2 2 use warnings; 3 use Test::More tests => 3; 3 use Test::More tests => 5; 4 5 #use Data::Dump qw( dump ); 6 4 7 use_ok('Sort::SQL'); 5 8 6 9 #use Data::Dump qw( dump ); 7 10 8 my $nefarious_sql = "name id; drop\rtable\rtest;\rselect\r1\r";11 my $nefarious_sql = "name, id; drop\rtable\rtest;\rselect\r1\r"; 9 12 10 13 ok( my $parsed = Sort::SQL->string2array($nefarious_sql), … … 14 17 15 18 is_deeply( $parsed, [ { name => 'ASC' } ], "bad sql is stripped" ); 19 20 my $more_bad_sql = "t1.name DESC, t2.id asc;drop\rtable\rtest;select\r1"; 21 22 ok( my $parsed2 = Sort::SQL->string2array($more_bad_sql), 23 "parse order string 2" ); 24 25 #diag( dump($parsed2) ); 26 27 is_deeply( 28 $parsed2, 29 [ { 't1.name' => 'DESC' }, { 't2.id' => 'ASC' } ], 30 "more bad sql is stripped" 31 );
Note: See TracChangeset
for help on using the changeset viewer.
