De-tainting a number
Bradley Baetz
bbaetz at acm.org
Sat Jul 26 00:11:46 UTC 2003
On Fri, Jul 25, 2003 at 03:10:33PM +0100, Mark Ingram wrote:
> Hi,
>
> I have the following line:
>
> SendSQL("INSERT INTO bugs (reg_test) VALUES (" . SqlQuote($reg_test) . ")
> WHERE bug_id = $bugid");
>
> which isnt working obviously because the $bugid is still tainted. How do i
> de-taint a number?
Assuming that this is 2.17, you should be letting DBI do this, and
doing:
Bugzilla->dbh->do("INSERT INTO bugs (reg_test) VALUES (?) WHERE
bug_id=?", undef, $reg_test, $bugid);
(except that thats not valid SQL)
You do still need to untaint the values first, however.
Bradley
More information about the developers
mailing list