Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Re^2: DBI & MySQL Login Test

by astroboy (Chaplain)
on Aug 25, 2009 at 22:16 UTC ( #791184=note: print w/replies, xml ) Need Help??

in reply to Re: DBI & MySQL Login Test
in thread DBI & MySQL Login Test

Hmm, that's one way of protecting against SQL injection, I guess. But it means that you'd need to run this kind of query for all SQL queries that use external data.

And it means any internal users who simply want to query the db - using Crystal Reports, Business Objects or a myriad of other tools, now can't.

Replies are listed 'Best First'.
Re^3: DBI & MySQL Login Test
by Sewi (Friar) on Aug 26, 2009 at 12:29 UTC
    Sorry, but you're wrong :-)
    I'm using the HEX representation only between the Perl script and the SQL-Server. You could still do a
    SELECT LastLogin FROM Users WHERE Username="astroboy"
    Note the " around your name, they make this a string.
    Try this with your SQL-Server:
    SELECT 1 WHERE "astroboy"=0x617374726f626f79

    PS: You could also use SQL commands to play with your string, because the SQL server trade it as a plain string, not a list of HEX-codes:

    SELECT 1 FROM Users WHERE LOWER(Username)=LOWER(0x617374726f626f79) AN +D Password=0x617374726f626f79
    This would match astroboy, ASTROBOY and AstroBoy in the DB, but not 0x617374726f626f79 or 0x617374726F626F79.
      oh, ok. I couldn't get this to work with MySQL
      Whoops, when I changed to MySQL syntax I got it to work. Very cool.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://791184]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (6)
As of 2018-05-24 04:21 GMT
Find Nodes?
    Voting Booth?