Oh, BTW. I was asked to ask to explain SQL injections yesterday. Would this ammendment be superfluous in a pike manual?
$ cvs diff -u Sql.pike Index: Sql.pike =================================================================== RCS file: /cvs/Pike/7.5/lib/modules/Sql.pmod/Sql.pike,v retrieving revision 1.68 diff -u -r1.68 Sql.pike --- Sql.pike 30 Jul 2003 02:30:33 -0000 1.68 +++ Sql.pike 22 Oct 2003 00:10:36 -0000 @@ -28,6 +28,20 @@
//! @decl string quote(string s) //! Quote a string @[s] so that it can safely be put in a query. +//! +//! All input that is used in SQL-querys should be quoted to prevent +//! SQL injections. +//! +//! Consider this harmfull code: +//! @code +//! string my_input = "rob' OR name!='rob"; +//! string my_query = "DELETE FROM tblUsers WHERE name='"+my_input+"'"; +//! my_db->query(my_query); +//! @endcode +//! +//! This type of problems can be avoided by quoting @tt{my_input@}. +//! @tt{my_input@} would then probably read something like +//! @i{rob' OR name!='rob@}
function(string:string) quote = .sql_util.quote;
@@ -340,9 +354,16 @@ return ({sprintf(query,@args), b}); }
-//! Send an SQL query to the underlying SQL-server. The result is returned -//! as an array of mappings indexed on the name of the columns. -//! Returns 0 if the query didn't return any result (e.g. INSERT or similar). +//! Send an SQL query to the underlying SQL-server. +//! Returns +//! @ol +//! @item +//! The result as an array of mappings indexed on the name +//! of the columns. +//! @item +//! 0 if the query didn't return any result (e.g. INSERT or similar). +//! @item +//! Throws an exception if the query fails. //! //! @param q //! Query to send to the SQL-server. This can either be a string with the @@ -359,8 +380,12 @@ //! the variable is used. //! //! @code -//! query("select foo from bar where gazonk=:baz", -//! ([":baz":"value"])) ) +//! mixed err = catch { +//! query("SELECT foo FROM bar WHERE gazonk=:baz", +//! ([":baz":"value"])); +//! }; +//! if(!intp(err)) +//! werror("An error occured."); //! @endcode //! //! Binary values (BLOBs) may need to be placed in multisets.
/ Peter Lundqvist (disjunkt)
Previous text:
2003-10-22 01:42: Subject: Re: Proposal-patch for documentation of Sql.pike
To signify that you want a link to the description of catch. Now, since catch isn't in the module documentation you won't get one there and since no links are created at all in the chapterized manual you won't get one there either. But if someone took the time to write code that generates links for that one as well, then you would.
/ Martin Nilsson (saturator)