Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Re: Preventing malicious T-SQL injection attacks

by bart (Canon)
on Mar 05, 2007 at 11:18 UTC ( #603190=note: print w/replies, xml ) Need Help??

in reply to Preventing malicious T-SQL injection attacks

I think you ought to be able to use placeholders for the parameters. Thus, you provide just as many question marks as there are parameters (BTW don't the parameters start at index 0?), and pass the actual parameter in the do call.
$Command = "EXEC $SPROC " . join ', ', ('?') x $elements_in_array;
This will produce something that looks like
EXEC FOO ?, ?, ?
(I have no idea if this is the proper syntax for calling stored procedures in T-SQL — perhaps it needs parens?)
which later you call through
$dbh->do($Command, undef, @CHOICE[1 .. $elements_in_array])
(The undef comes in place of the \%attr in the docs.)

That ought to remove all possible problems related to dangerous values in ther parameters, as they're all treated as content of strings.

And yes, you should check if $PROC looks right, like a proper procedure name, for example with a regex.

Replies are listed 'Best First'.
Re^2: Preventing malicious T-SQL injection attacks
by Win (Novice) on Mar 05, 2007 at 16:23 UTC
    Does the following look like a sensible precaution? My computer is tied up at the moment. Can't test it.
    for my $chosen (@CHOICE) { if ($_ =~ /\-\-/ || $_ =~ /\;/){ print "There is a possible injection attack here"; ## Security fun +ction here die; }

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603190]
[stevieb]: interestingly enough, someone else got my Devel::Examine:: Subs distribution for their PRC, and I applaud the change. This dist is extremely complicated and mostly obfu, but the person doing it understood PPI enough to change...
[stevieb]: ...something I had overlooked in the extreme depths of the core functionality. After merging, then a couple of extra tweaks, I still have 100% test coverage. Yay for people who write tests!

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (5)
As of 2017-01-24 01:22 GMT
Find Nodes?
    Voting Booth?
    Do you watch meteor showers?

    Results (199 votes). Check out past polls.