Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re: Yet another reason to use DBI placeholders

by diotalevi (Canon)
on Dec 14, 2008 at 06:25 UTC ( #730257=note: print w/ replies, xml ) Need Help??


in reply to Yet another reason to use DBI placeholders

Hey, funny that. There's a SQL injection (https://rt.cpan.org/Ticket/Display.html?id=41565 in the latest DBD::Pg that works even in the face of placeholders.

> > $s=$d->prepare(q[select ? where 1=?], { pg_server_prepare => 0 }); > > $s->bind_param(2,undef,SQL_INTEGER); > > $s->execute(1,"2; drop table x;");

⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊


Comment on Re: Yet another reason to use DBI placeholders
Download Code
Re^2: Yet another reason to use DBI placeholders
by mr_mischief (Monsignor) on Dec 16, 2008 at 03:10 UTC
    That's a scary one. Here's hoping it's fixed soon. I also hope that if the bind_param call is not made that "2; drop table x;" would be passed as a quoted string in the meantime.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://730257]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (3)
As of 2015-07-06 03:04 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (69 votes), past polls