Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re: Use PPI to Find SQL Injection Attacks

by jZed (Prior)
on Aug 14, 2007 at 18:14 UTC ( #632560=note: print w/ replies, xml ) Need Help??


in reply to Use PPI to Find SQL Injection Attacks

Unless I'm misreading, some of the more serious false negatives include:

$dbh->do(qq{ /* comment */ INSERT INTO foo VALUES('$bad_stuff') }); $dbh->do(qq{ INSERT INTO foo VALUES($bad_stuff) }); $dbh->do( sprintf( "INSERT INTO foo VALUES(%s)", $bad_stuff ));
A better approach might be to find all the prepare() and do() statements and run them through a safe DBI subclass that does the prepare and evaluates what it prepared.


Comment on Re: Use PPI to Find SQL Injection Attacks
Download Code
Re^2: Use PPI to Find SQL Injection Attacks
by Ovid (Cardinal) on Aug 14, 2007 at 18:58 UTC

    Excellent points on the SQL. I like the DBI subclass idea. Can you point me to some examples? I've never tried to do anything like that before.

    Cheers,
    Ovid

    New address of my CGI Course.

      A minimal DBI subclass can be found here: Interpolate binds into SQL on error - DBI subclassing (possibly not the best example but since I wrote it I knew where to find it :-)). Basically you'd need to redefine execute() to do nothing, and redefine prepare() (in MyDBI::db) to do your injection checking.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://632560]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (9)
As of 2015-07-02 04:30 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (27 votes), past polls