Re: Can't call method "prepare" on an undefined value

Somehow you managed to have an undefined value instead of a DBI database handle in front of ->prepare, which is burried deep inside Oraperl.pm.

Please insert "use strict;" between the first line and the first line of code, and change the first line to "#!/usr/local/bin/perl -w". This will enable perl warnings and strict code checks. Remove all warnings and errors reported by strict and -w, then run your code again. Remove the & signs in front of function calls, this is Perl 4 style and has some undesirable side effects on Perl 5.

Looking at some more details, I see some problems with CGI parameters from the QUERY_STRING and other CGI issues. Consider using the CGI module instead of fiddling with environment variables. Consider using DBI objects instead of ora_xxx functions. Consider enabling taint mode (add -T to the first line).

At least $ppcd_id is vulnerable to SQL injection, allowing to read, perhaps also modify and delete data from the database.

At least $ppcd_no and $add_id are vulnerable to remote command execution, at least in the context of the CGI/Webserver user. They can also be (ab)used to send arbitary mails to arbitary recipients.

Personally, I would recommend to delete this script as soon as possible and rewrite it using CGI, DBI and traint mode. Feel free to contact me via email if you need help.

Alexander Foken


On 30.01.2007 11:23, Chong, Wei-Ling wrote:

Hi, I have one oracle database located at server A and setup the Oracle HTTP Server at Server B. Both server are Solaris server. I have installed DBI and DBD into Server B and setup the oraperl in my perl script.

When I run the perl script, I am getting error:





Can't call method "prepare" on an undefined value at /oracle/app/http/product/OA

S10.1.2.0.2/perl/lib/site_perl/5.6.1/sun4-solaris/Oraperl.pm line 121.

[Tue Jan 30 16:39:26 2007] [error] [client 165.204.172.185] [ecid: 1170146365:16

5.204.178.123:1213:0:7,0] Premature end of script headers: /oracle/app/http/dl/w

eb/cgi/eppcd/ppcd_approval_ora.pl



It works fine when the oraperl is located same server as the database. I search through internet and it might due to connection string problem. I am able to sqlplus to this database in Server B: sqlplus ppcd@xxxxxxxxxxxxxxx



Attached is my perl script. Is there any error on my oraperl code?



Please help, very appriate.

Thanks.



Best Regards,

Chong





--
Alexander Foken
mailto:alexander@xxxxxxxx http://www.foken.de/alexander/

.

Relevant Pages

  • (Fwd) RE: DBI with ORACLE encryption
    ... Subject: DBI with ORACLE encryption ... perl script to pull data out of the interface and dump the same to the ... All we do with oracle is to take an database connection ...
    (perl.dbi.users)
  • Re: connect to a remote Postgresql server using DBI
    ... else) to execute queries on the remote database. ... perl script to execute queries on the remote server? ... > See the bottom of this page for client installation ...
    (perl.dbi.users)
  • RE: Cant call method "prepare" on an undefined value
    ... The error happen on the line to connect to that database: ... This script is working fine I located the script in same server as the ... I have one oracle database located at server A and setup the Oracle ... When I run the perl script, ...
    (perl.dbi.users)
  • Re: DBI with ORACLE encryption
    ... perl script to pull data out of the interface and dump the same to the ... All we do with oracle is to take an database connection ... other ways of connecting to database using dbi. ...
    (perl.dbi.users)
  • Re: Charset problems when connecting from cygwin
    ... | an Oracle database residing on an aix server. ... Running the perl script on ... What is your server Oracle version? ...
    (comp.databases.oracle.tools)
Quantcast