Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

by aquarium (Curate)
on Jan 10, 2008 at 03:18 UTC ( #661546=note: print w/ replies, xml ) Need Help??


in reply to Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

if you want to be fairly sure that your code is SQL injection safe against typical attacks, then you should use typical attacks to test with. Most hackers use an up-to-date bundle of tricks, typically already in a script, to try to cause harm...and don't bother hand hacking. As such, the trivial test cases presented do not represent a typical SQL injection hackers bundle, by any stretch of imagination.
also, to help prevent SQL injection...normally you also untaint the data by an inclusion regex. e.g.

bad_input() if($cityname !~ /^[a-zA-Z .,]+$/);
..and never untaint by disallowing banned characters instead. you never know if your banned character list is complete.
the hardest line to type correctly is: stty erase ^H


Comment on Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
Download Code
Re^2: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
by erik (Sexton) on Jan 10, 2008 at 11:14 UTC
    You said that Most hackers use an up-to-date bundle of tricks, typically already in a script, to try to cause harm...and don't bother hand hacking. I didn't have much success looking that up in Google. Do you have any suggestion on resources/modules providing test cases of SQL injection or any other type of security threat? Such a module would be great for testing code safety or queries safety.

    BTW, when/if possible, it always seems safer to me to check inputs in a "white list" fashion. If you check that inputs contain only letters, numbers and underscores and don't exceed a certain length, that would probably increase security by a great deal.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://661546]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (10)
As of 2014-12-29 09:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (185 votes), past polls