[erlang-questions] ODBC param_sql problem on Ubuntu or does sql_query will cause SQL-injection?
wenew zhang
wenewboy@REDACTED
Mon Mar 31 00:48:44 CEST 2008
i use odbc on R12B+unbuntu 8.04+Mysql 5.0.45 +unixODBC+MyOdbc 3.52
when i use param_query, i got "No SQL-driver information available!
but sql_query works, as the code below,it's works, but it's maybe cause
sql-injection,
how to avoid it?
code:
handle_call({?PLLOGIN,Uid,Pwd},_From,State) ->
io:format("PLLogin id:~w Uid:~w Pwd:~w~n",[?PLLOGIN,Uid,Pwd]),
[Conn] = State, %% get the connection back from the state
io:format("select cno from customer where
cno='"++binary_to_list(Uid)++"' and password='"++binary_to_list(Pwd)++"'"),
{ok,IsFound}=odbc:select_count(Conn,"select cno from customer where
cno='"++
binary_to_list(Uid)++"' and
password='"++binary_to_list(Pwd)++"'"),
% {_SltState,IsFound}=odbc:param_query(Conn,"select count(*) from
customer where ano=? and
password=?",[{{sql_varchar,16},[Uid]},{{sql_varchar,20},[Pwd]}]),
{reply,IsFound, State}.
%%it's works
4> Uid="root".
"root"
5> Pwd="123456".
"123456"
6> odbc:param_query(Conn,"select count(*) from customer where ano=? and
password=?",[{{sql_varchar,16},[Uid]},{{sql_varchar,20},[Pwd]}]).
{error,"No SQL-driver information available."}
7> odbc:sql_query(Conn,"select version()").
{selected,["version()"],[{"5.0.45-3ubuntu1"}]}
8> odbc:sql_query(Conn,"select * from
customer").
{selected,["cno","ano","cname","score","money","regdate",
"password","status","memo","passwderrortimes","currency",
"email"],
[{"root"," "," ","0.00","0.00",null,"123456","normal",null,
null,"RMB",null}]}
Wenew Zhang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20080331/0bc20d39/attachment.htm>
More information about the erlang-questions
mailing list