Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^5: Preventing malicious T-SQL injection attacks

by davorg (Chancellor)
on Mar 05, 2007 at 16:05 UTC ( #603239=note: print w/replies, xml ) Need Help??


in reply to Re^4: Preventing malicious T-SQL injection attacks
in thread Preventing malicious T-SQL injection attacks

You can question whatever you want. It's your code, after all.

But you need to know the number of parameters in order to create an SQL string with the correct number of placeholders. So DBI checks the number of parameters for you for free.

You get an extra layer of defensive programming for no cost. I can't see any reason why you wouldn't want to make use of it.

  • Comment on Re^5: Preventing malicious T-SQL injection attacks

Replies are listed 'Best First'.
Re^6: Preventing malicious T-SQL injection attacks
by Win (Novice) on Mar 05, 2007 at 16:31 UTC
    I think that it would be good when SELECT is used in a similar circumstance. But when that particular feature is used with EXEC I believe it is redundant code and therefore is best not used.

      But what is redundant? What would you remove? Like I said, this is a completely free feature. There is no code in there which specifically checks for the right number of parameters, it's just something that execute gives you for free.

      There is no redundancy. There is nothing to remove. If you find something to remove then I'd love to see it.

        I suppose that it would add an extra layer of security given that, otherwise, a hacker may manage to alter the SPROC to take an extra variable and then run that without changes to the Perl program.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603239]
help
Chatterbox?
[Your Mother]: I say I do. :P
[Your Mother]: Missiles would be an idiot’s play. Putin is many things but he is not an idiot.
[erix]: I like the idea of the trumps troup of imbeciles growing slightly nervous now their incompetence will be tested
[erix]: you seem forget there is another idiot coming :)
[Your Mother]: The US government does not attract talent, but grafters and liars and it has been that way for the better part of a century. FEW exceptions.
[erix]: you think it only /looks/ worse this time?
[Your Mother]: HR Clinton was literally threatening Russia. She would have been MUCH more likely to start real trouble.
[Your Mother]: I think there is less decorum this time.
[Your Mother]: We’ve had rapists and thieves and unqualified government. They just had decorum.
[erix]: heh, understatement of the week :)

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (8)
As of 2017-01-20 00:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you watch meteor showers?




    Results (173 votes). Check out past polls.