Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??
    About a single quote character causing a problem? Wow, you must think that the DBD modules are almost completely untested?

No -- I'm confident that the DBD modules are tested against this specific challenge.

Anyway, just to be sure, I expanded my script ..

#!/usr/bin/perl -w use DBI; # Test SQL injection attack. The test table 'jobs' was created with # the command 'create table jobs (j_id integer, j_value text);' in " all three databases. my @databases = ( 'mysql:test', 'Pg:dbname=test', 'SQLite:test.sq3' ); my @data = ( { id => 44, value => "Some benign text" }, { id => 55, value => "Just regular data" }, { id => 66, value => "Evil data');DELETE FROM jobs;" }, { id => 77, value => 'Horrible data");DELETE FROM jobs;' }, { id => 88, value => "More Evil data\\');DELETE FROM jobs;" }, { id => 99, value => 'More Horrible data\");DELETE FROM jobs;' }, ); { foreach my $thisDbName ( @databases ) { my $dbh = DBI->connect("DBI:$thisDbName", undef, undef ) or die "Unable to connect to $thisDbName: " . $DBI::errstr; print "Connected OK to $thisDbName.\n"; # Clean up test table before we start .. my $cmd = "DELETE FROM jobs"; my $sth = $dbh->prepare($cmd); print "Clear out existing data from the test table ..\n"; $sth->execute or die "Problem executing $cmd: " . $sth->errstr; $cmd = "INSERT INTO jobs (j_id, j_value) VALUES (?,?)"; $sth = $dbh->prepare($cmd); # Add test data into table .. foreach my $hashref ( @data ) { print "Add ($hashref->{'id'},$hashref->{'value'})" ." to the test table ..\n"; $sth->execute($hashref->{'id'}, $hashref->{'value'}) or die "Problem executing $cmd: " . $sth->errstr; } # Dump out the resulting tables. $cmd = "SELECT * FROM jobs"; $sth = $dbh->prepare($cmd); print "Dump out the result.\n"; $sth->execute or die "Problem executing $cmd: " . $sth->errstr; DBI::dump_results($sth); print "\n"; } }

And I still got good results ..

Connected OK to mysql:test. Clear out existing data from the test table .. Add (44,Some benign text) to the test table .. Add (55,Just regular data) to the test table .. Add (66,Evil data');DELETE FROM jobs;) to the test table .. Add (77,Horrible data");DELETE FROM jobs;) to the test table .. Add (88,More Evil data\');DELETE FROM jobs;) to the test table .. Add (99,More Horrible data\");DELETE FROM jobs;) to the test table .. Dump out the result. '44', 'Some benign text' '55', 'Just regular data' '66', 'Evil data');DELETE FROM jobs;' '77', 'Horrible data");DELETE FROM jobs;' '88', 'More Evil data\');DELETE FROM ...' '99', 'More Horrible data\");DELETE F...' 6 rows Connected OK to Pg:dbname=test. Clear out existing data from the test table .. Add (44,Some benign text) to the test table .. Add (55,Just regular data) to the test table .. Add (66,Evil data');DELETE FROM jobs;) to the test table .. Add (77,Horrible data");DELETE FROM jobs;) to the test table .. Add (88,More Evil data\');DELETE FROM jobs;) to the test table .. Add (99,More Horrible data\");DELETE FROM jobs;) to the test table .. Dump out the result. '44', 'Some benign text' '55', 'Just regular data' '66', 'Evil data');DELETE FROM jobs;' '77', 'Horrible data");DELETE FROM jobs;' '88', 'More Evil data\');DELETE FROM ...' '99', 'More Horrible data\");DELETE F...' 6 rows Connected OK to SQLite:test.sq3. Clear out existing data from the test table .. Add (44,Some benign text) to the test table .. Add (55,Just regular data) to the test table .. Add (66,Evil data');DELETE FROM jobs;) to the test table .. Add (77,Horrible data");DELETE FROM jobs;) to the test table .. Add (88,More Evil data\');DELETE FROM jobs;) to the test table .. Add (99,More Horrible data\");DELETE FROM jobs;) to the test table .. Dump out the result. 44, 'Some benign text' 55, 'Just regular data' 66, 'Evil data');DELETE FROM jobs;' 77, 'Horrible data");DELETE FROM jobs;' 88, 'More Evil data\');DELETE FROM ...' 99, 'More Horrible data\");DELETE F...' 6 rows

So it's not guaranteed that these three DBDs are 100% protected, but a few obvious tests show that I'm fairly confident that the three DBDs that I care about are OK.

Alex / talexb / Toronto

"Groklaw is the open-source mentality applied to legal research" ~ Linus Torvalds


In reply to Re^4: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite (boggle) by talexb
in thread Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite by talexb

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others surveying the Monastery: (9)
    As of 2014-11-29 04:12 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      My preferred Perl binaries come from:














      Results (203 votes), past polls