Unable to whitelist concatenated variables

guillaumeaubert / Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection

PerlCritic policy that attempts to detect the most common sources of SQL injection in manually crafted SQL statements, by detecting the use of variables inside interpolated strings that look like SQL statements.

https://metacpan.org/pod/Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection

Other

6 stars 8 forks source link

Unable to whitelist concatenated variables #7

Closed sprinkla closed 10 years ago

sprinkla commented 10 years ago

Sir,

Here is an example of what I'd like to work, and it's not working.

$sql   .= "UPDATE table_name." . $self->{service} . " SET deleted_at = NOW() WHERE id = " . $map->{system_id} . " AND deleted_at IS NULL"; ## SQL safe ( $self $map )

guillaumeaubert commented 10 years ago

Thank you for the bug report, sprinkla! The commits above are solving the issue, but I think it would be better to be able to whitelist only $map->{system_id} as opposed to opening a big hole with "anything inside $map". I'm going to think about it tonight and we can discuss it tomorrow before I do a release for this fix.

guillaumeaubert commented 10 years ago

Fixed whitelisting the exact variable name instead of only looking at the root of nested variables. Released in v1.1.4.