Created
August 1, 2012 13:23
-
-
Save zostay/3226818 to your computer and use it in GitHub Desktop.
OWASP Top Ten - A1 Injection - Good/Bad - In Perl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use v5.16; | |
| use Plack::Request; | |
| my $app = sub { | |
| # Plack::Request makes getting parameters easier | |
| my $req = Plack::Request->new(shift); | |
| # Load the name | |
| my $name = $req->parameters->{name}; | |
| # BAD BAD BAD Embed the name into the SQL | |
| my $foo = $dbh->selectrow_hashref( | |
| "select stuff from foo where name = '$name'"); | |
| # Return the result | |
| return [ | |
| 200, | |
| [ 'Content-type' => 'text/plain' ], | |
| [ $foo->{stuff} ] | |
| ]; | |
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use v5.16; | |
| use Plack::Request; | |
| my $app = sub { | |
| # Plack::Request makes getting parameters easier | |
| my $req = Plack::Request->new(shift); | |
| # Load the name | |
| my $name = $req->parameters->{name}; | |
| # Bind the name to the SQL query | |
| my $foo = $dbh->selectrow_hashref( | |
| "select stuff from foo where name = ?", undef, $name); | |
| # Return the result | |
| return [ | |
| 200, | |
| [ 'Content-type' => 'text/plain' ], | |
| [ $foo->{stuff} ] | |
| ]; | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment