Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Re: Hacker Proofing My Script

by CountZero (Bishop)
on Oct 04, 2004 at 19:30 UTC ( #396355=note: print w/replies, xml ) Need Help??


in reply to Hacker Proofing My Script

What makes you think your script is immune from injection attacks? I'm not sure that using placeholders is sufficient (the DBI docs do not state that AFAIK) in that respect. Just relying on the automatic quoting rules in the placeholder code (which might be differently implemented in every DBD-driver) seems dangerous to me.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Replies are listed 'Best First'.
Re^2: Hacker Proofing My Script
by jZed (Prior) on Oct 04, 2004 at 19:48 UTC
    Placeholders are not the same as "automatic quoting rules". The $dbh->quote() method applies quoting to the values and then those are *inserted into the SQL statement* and that SQL statement is passed to the RDBMS. OTOH, for an RDBMS that supports placeholder, and when placeholders are used instead of $dbh->quote(), the values are not quoted, *are not inserted into the SQL statement*, and are passed separately to the RDBMS along with the SQL statement which still has placeholders marks in it. The RDBMS than operates on the statement + the values without ever needing to create a SQL statement that contains the values and therefore without the danger of having unkown SQL statements (injected as values) executed. So if the RDBMS supports placeholders (as distinct from a DBD that emulates them), placeholders are much more secure than quoting, even quoting with $dbh->quote().
      Quite right, thanks for refreshing my memory! But I was not entirely wrong here: what is OK on one DB might be terribly insecure on another.

      In that respect, MySQL supports prepared statements only since its version 4.1 and unless DBD::MySQL is updated to take advantage of it (I didn't think so), could it be that the placeholder-magic is faked by DBD/DBD::MYSLQ and that it simply relies on quoting and interpolating the placeholders? That would of course be a Bad Thing.

      CountZero

      "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

        could it be that the placeholder-magic is faked by DBD/DBD::MYSLQ and that it simply relies on quoting and interpolating the placeholders? That would of course be a Bad Thing.
        Not necessarily. The DBD::MySQL driver is likely to have been written by someone competent, who understands how to do the correct quoting to make it injection proof; this is in contrast to typical user-level code, which has a good chance of getting it wrong. So even faked placeholders buy you security.

        Dave.

      jZed -

      So you say if my database, which is mySQL 3.22.32, supports placeholders, then I don't have to worry if the DBD supports or emulates them?

      Thanks
      Adam

        I don't know a heck of a lot about MySQL, but according to gmax's excellent New twist for DBD::mysql, DBD::mysql currently does emulate placeholders but in such a way as to preserve security. I'd suggest reading his node for further details.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://396355]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (7)
As of 2020-01-23 20:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?