Win has asked for the wisdom of the Perl Monks concerning the following question:
I am executing MS SQL Server SPROCSs through a Perl program. The critical piece of code that sets up the execute statement follows:
I really want advice on the best way of preventing a malicious injection attack or some other attack. I guess that it might be an idea to limit the SPROCs that can be called. It might be an idea to make it impossible to activate any SPROC that is a system SPROC. That would require screening of the $SPROC variable. Should I exclude the possibility of @CHOICE containing a variable that has DELETE in it. Or a variable that has ‘;’ in it. Is there anything else that I should do?$Command = join(' ', 'EXEC', $SPROC, join(', ', @CHOICE[1 .. $elements_in_array])) . '';
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Preventing malicious T-SQL injection attacks
by bart (Canon) on Mar 05, 2007 at 11:18 UTC | |
| |
Re: Preventing malicious T-SQL injection attacks
by davorg (Chancellor) on Mar 05, 2007 at 12:54 UTC | |
| |
| |
| |
Re: Preventing malicious T-SQL injection attacks
by jonadab (Parson) on Mar 05, 2007 at 12:35 UTC | |
Re: Preventing malicious T-SQL injection attacks
by Moron (Curate) on Mar 05, 2007 at 13:07 UTC | |
by smithers (Friar) on Mar 05, 2007 at 18:41 UTC | |
by Moron (Curate) on Mar 05, 2007 at 18:57 UTC | |
Re: Preventing malicious T-SQL injection attacks
by Trizor (Pilgrim) on Mar 05, 2007 at 12:32 UTC |
Back to
Seekers of Perl Wisdom