Re: Can"t call method "prepare" on an undefined value

Re: Can"t call method "prepare" on an undefined value

am 30.01.2007 14:40:48 von Alexander

Somehow you managed to have an undefined value instead of a DBI database
handle in front of ->prepare, which is burried deep inside Oraperl.pm.

Please insert "use strict;" between the first line and the first line of
code, and change the first line to "#!/usr/local/bin/perl -w". This will
enable perl warnings and strict code checks. Remove all warnings and
errors reported by strict and -w, then run your code again. Remove the &
signs in front of function calls, this is Perl 4 style and has some
undesirable side effects on Perl 5.

Looking at some more details, I see some problems with CGI parameters
from the QUERY_STRING and other CGI issues. Consider using the CGI
module instead of fiddling with environment variables. Consider using
DBI objects instead of ora_xxx functions. Consider enabling taint mode
(add -T to the first line).

At least $ppcd_id is vulnerable to SQL injection, allowing to read,
perhaps also modify and delete data from the database.

At least $ppcd_no and $add_id are vulnerable to remote command
execution, at least in the context of the CGI/Webserver user. They can
also be (ab)used to send arbitary mails to arbitary recipients.

Personally, I would recommend to delete this script as soon as possible
and rewrite it using CGI, DBI and traint mode. Feel free to contact me
via email if you need help.

Alexander Foken


On 30.01.2007 11:23, Chong, Wei-Ling wrote:
>
> Hi, I have one oracle database located at server A and setup the
> Oracle HTTP Server at Server B. Both server are Solaris server. I have
> installed DBI and DBD into Server B and setup the oraperl in my perl
> script.
>
> When I run the perl script, I am getting error:
>
>
>
>
>
> Can't call method "prepare" on an undefined value at
> /oracle/app/http/product/OA
>
> S10.1.2.0.2/perl/lib/site_perl/5.6.1/sun4-solaris/Oraperl.pm line 121.
>
> [Tue Jan 30 16:39:26 2007] [error] [client 165.204.172.185] [ecid:
> 1170146365:16
>
> 5.204.178.123:1213:0:7,0] Premature end of script headers:
> /oracle/app/http/dl/w
>
> eb/cgi/eppcd/ppcd_approval_ora.pl
>
>
>
> It works fine when the oraperl is located same server as the database.
> I search through internet and it might due to connection string
> problem. I am able to sqlplus to this database in Server B: sqlplus
> ppcd@equal.dev.edms2
>
>
>
> Attached is my perl script. Is there any error on my oraperl code?
>
>
>
> Please help, very appriate.
>
> Thanks.
>
>
>
> Best Regards,
>
> Chong
>
>
>


--
Alexander Foken
mailto:alexander@foken.de http://www.foken.de/alexander/