Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Re: Use PPI to Find SQL Injection Attacks

by jZed (Prior)
on Aug 14, 2007 at 18:14 UTC ( #632560=note: print w/ replies, xml ) Need Help??


in reply to Use PPI to Find SQL Injection Attacks

Unless I'm misreading, some of the more serious false negatives include:

$dbh->do(qq{ /* comment */ INSERT INTO foo VALUES('$bad_stuff') }); $dbh->do(qq{ INSERT INTO foo VALUES($bad_stuff) }); $dbh->do( sprintf( "INSERT INTO foo VALUES(%s)", $bad_stuff ));
A better approach might be to find all the prepare() and do() statements and run them through a safe DBI subclass that does the prepare and evaluates what it prepared.


Comment on Re: Use PPI to Find SQL Injection Attacks
Download Code
Re^2: Use PPI to Find SQL Injection Attacks
by Ovid (Cardinal) on Aug 14, 2007 at 18:58 UTC

    Excellent points on the SQL. I like the DBI subclass idea. Can you point me to some examples? I've never tried to do anything like that before.

    Cheers,
    Ovid

    New address of my CGI Course.

      A minimal DBI subclass can be found here: Interpolate binds into SQL on error - DBI subclassing (possibly not the best example but since I wrote it I knew where to find it :-)). Basically you'd need to redefine execute() to do nothing, and redefine prepare() (in MyDBI::db) to do your injection checking.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://632560]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (4)
As of 2014-07-26 01:30 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (175 votes), past polls