From 2c7576bdad1fa54adb697fbdc40908a85a1e73a4 Mon Sep 17 00:00:00 2001
From: JT Smith <jt@plainblack.com>
Date: Tue, 1 Jul 2003 23:55:45 +0000
Subject: [PATCH] disabled write actions in SQL macro for security reasons

---
 docs/gotcha.txt                 |  8 ++++++++
 lib/WebGUI/Macro/SQL.pm         | 28 ++++++++++++++++------------
 lib/WebGUI/Wobject/SQLReport.pm |  2 +-
 3 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/docs/gotcha.txt b/docs/gotcha.txt
index 4ecb3dd5a..90badd5be 100644
--- a/docs/gotcha.txt
+++ b/docs/gotcha.txt
@@ -8,6 +8,14 @@ versions. Be sure to heed the warnings contained herein as they will
 save you many hours of grief.
 
 
+5.4.1
+--------------------------------------------------------------------
+ * The programmer macros have been disabled by default in the sample
+	config file.
+
+ * The SQL macro no longer allows write actions.
+
+
 5.4.0
 --------------------------------------------------------------------
  * Page caching has been moved to individual pages rather than a
diff --git a/lib/WebGUI/Macro/SQL.pm b/lib/WebGUI/Macro/SQL.pm
index 67861de3a..d1fafeb93 100644
--- a/lib/WebGUI/Macro/SQL.pm
+++ b/lib/WebGUI/Macro/SQL.pm
@@ -20,19 +20,23 @@ sub process {
 	my ($output, @data, $rownum, $temp);
 	my ($statement, $format) = WebGUI::Macro::getParams(shift);
 	$format = '^0;' if ($format eq "");
-	my $sth = WebGUI::SQL->unconditionalRead($statement);
-	unless ($sth->errorCode < 1) { 
-		return '<p><b>SQL Macro Failed:</b> '.$sth->errorMessage.'<p>';
+	if ($statement =~ /^select/i || $statement =~ /^show/i || $statement =~ /^describe/i) {
+		my $sth = WebGUI::SQL->unconditionalRead($statement);
+		unless ($sth->errorCode < 1) { 
+			return '<p><b>SQL Macro Failed:</b> '.$sth->errorMessage.'<p>';
+		} else {
+			while (@data = $sth->array) {
+                		$temp = $format; 
+	                        $temp =~ s/\^(\d+)\;/$data[$1]/g; 
+        	                $rownum++;
+                	        $temp =~ s/\^rownum\;/$rownum/g;
+				$output .= $temp;
+	                }
+			$sth->finish;
+			return $output;
+		}
 	} else {
-		while (@data = $sth->array) {
-                	$temp = $format; 
-                        $temp =~ s/\^(\d+)\;/$data[$1]/g; 
-                        $rownum++;
-                        $temp =~ s/\^rownum\;/$rownum/g;
-			$output .= $temp;
-                }
-		$sth->finish;
-		return $output;
+		return "Cannot execute this type of query.";
 	}
 }
 
diff --git a/lib/WebGUI/Wobject/SQLReport.pm b/lib/WebGUI/Wobject/SQLReport.pm
index be976590c..a48e5794a 100644
--- a/lib/WebGUI/Wobject/SQLReport.pm
+++ b/lib/WebGUI/Wobject/SQLReport.pm
@@ -185,7 +185,7 @@ sub www_view {
 		WebGUI::ErrorHandler::warn("SQLReport [".$_[0]->get("wobjectId")."] The DSN specified is of an improper format.");
         }
 	if (defined $dbh) {
-		if ($query =~ /select/i || $query =~ /show/i || $query =~ /describe/i) {
+		if ($query =~ /^select/i || $query =~ /^show/i || $query =~ /^describe/i) {
 			$sth = WebGUI::SQL->unconditionalRead($query,$dbh);
 			unless ($sth->errorCode < 1) {
 				$errorMessage = $sth->errorMessage;