http://www.perlmonks.org?node_id=440823


in reply to Re^4: DBH Insert of Binary Data
in thread DBH Insert of Binary Data

Try this with your favorite DBD. The DBD and/or the RDBMS may prevent the injection at some later time, but the quote method has little to do with it. 
    my $val = $dbh->quote(q{Boston;DELETE FROM myTable});
As for the quote method not messing up a binary, you're probably correct in most cases, but in cases where the DBD supports several escaping methods (e.g. both '' and \') it's possible to have problems. And even where it doesn't cause problems, you're adding three different steps to the process - quoting the Blob, unquoting the Blob, and parsing the Blob as a value within the SQL string.

Replies are listed 'Best First'.
Re^6: DBH Insert of Binary Data
by Joost (Canon) on Mar 19, 2005 at 01:36 UTC 
    #!perl -w
use strict;
use DBI;

my $dbh = DBI->connect('DBI:mysql:database=test','xxx','yyy',) || die;
print $dbh->quote(q{Boston;DELETE FROM myTable});
__END__
'Boston;DELETE FROM myTable'

    [download]

    I don't see your point. If any DBD driver let's this through, (and DBD::mysql doesn't), it's a major bug. Yes, it might be inefficient, but it should never lead to a security risk if used correctly.

    "What should it profit a man, if he should win a flame war, yet lose his cool?"
[reply]
[d/l]
      > If any DBD driver let's this through, (and DBD::mysql 
> doesn't), it's a major bug.
      Agreed.
[reply]
        So now I'm getting curious: are there DBD drivers where you could get an SQL injection attack while still using the quote method correctly?

        Just to make myself as clear as I can: I agree that using placeholders is usually the best and most efficient technique, but I am under the impression that using quote() would (or at least, should) catch all attempts of "breaking out of" an SQL value.

        updated: s/attact/attack/

        "What should it profit a man, if he should win a flame war, yet lose his cool?"
[reply]

In Section Seekers of Perl Wisdom