Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re: Yet another reason to use DBI placeholders

by diotalevi (Canon)
on Dec 14, 2008 at 06:25 UTC ( #730257=note: print w/replies, xml ) Need Help??


in reply to Yet another reason to use DBI placeholders

Hey, funny that. There's a SQL injection (https://rt.cpan.org/Ticket/Display.html?id=41565 in the latest DBD::Pg that works even in the face of placeholders.

> > $s=$d->prepare(q[select ? where 1=?], { pg_server_prepare => 0 }); > > $s->bind_param(2,undef,SQL_INTEGER); > > $s->execute(1,"2; drop table x;");

⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊

Replies are listed 'Best First'.
Re^2: Yet another reason to use DBI placeholders
by mr_mischief (Monsignor) on Dec 16, 2008 at 03:10 UTC
    That's a scary one. Here's hoping it's fixed soon. I also hope that if the bind_param call is not made that "2; drop table x;" would be passed as a quoted string in the meantime.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://730257]
help
Chatterbox?
[LanX]: you don't see the whole picture
[LanX]: But reu germans have no humor, better to refrain from this site till the troll is gone...
[LanX]: true
[shmem]: I disagree
[LanX]: sure you are German
[shmem]: germans do have humour. Open debate is what germans, and what humour. There. :-)
[LanX]: :-P

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (10)
As of 2017-04-27 19:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    I'm a fool:











    Results (513 votes). Check out past polls.