Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

Re: Preventing malicious T-SQL injection attacks

by Trizor (Pilgrim)
on Mar 05, 2007 at 12:32 UTC ( #603197=note: print w/replies, xml ) Need Help??

in reply to Preventing malicious T-SQL injection attacks

It isn't clear if @CHOICE comes from you or the user. If it comes from you the issue is paranoid versus pragmatic: sure someone could have found a way to malicously modify that variable, but is it worth the extra effort here to make sure its safe? Or would it be more worth your time to find the holes that could lead to the modification.

Of course this goes out the window if @CHOICE isn't your creation, in which case I'd reccomend using a prepared statement to check syntax before execution. If the create fails, then its likely that an injection attack was attempted and you can log or take necessary action.

eval { $dbh->prepare($Command); } if ($@) { # Those jerks tried to inject us... }

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603197]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (8)
As of 2016-10-25 12:12 GMT
Find Nodes?
    Voting Booth?
    How many different varieties (color, size, etc) of socks do you have in your sock drawer?

    Results (317 votes). Check out past polls.