Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re^2: Hacker Proofing My Script

by jZed (Prior)
on Oct 04, 2004 at 19:48 UTC ( #396364=note: print w/replies, xml ) Need Help??


in reply to Re: Hacker Proofing My Script
in thread Hacker Proofing My Script

Placeholders are not the same as "automatic quoting rules". The $dbh->quote() method applies quoting to the values and then those are *inserted into the SQL statement* and that SQL statement is passed to the RDBMS. OTOH, for an RDBMS that supports placeholder, and when placeholders are used instead of $dbh->quote(), the values are not quoted, *are not inserted into the SQL statement*, and are passed separately to the RDBMS along with the SQL statement which still has placeholders marks in it. The RDBMS than operates on the statement + the values without ever needing to create a SQL statement that contains the values and therefore without the danger of having unkown SQL statements (injected as values) executed. So if the RDBMS supports placeholders (as distinct from a DBD that emulates them), placeholders are much more secure than quoting, even quoting with $dbh->quote().

Replies are listed 'Best First'.
Re^3: Hacker Proofing My Script
by CountZero (Bishop) on Oct 04, 2004 at 20:15 UTC
    Quite right, thanks for refreshing my memory! But I was not entirely wrong here: what is OK on one DB might be terribly insecure on another.

    In that respect, MySQL supports prepared statements only since its version 4.1 and unless DBD::MySQL is updated to take advantage of it (I didn't think so), could it be that the placeholder-magic is faked by DBD/DBD::MYSLQ and that it simply relies on quoting and interpolating the placeholders? That would of course be a Bad Thing.

    CountZero

    "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

      could it be that the placeholder-magic is faked by DBD/DBD::MYSLQ and that it simply relies on quoting and interpolating the placeholders? That would of course be a Bad Thing.
      Not necessarily. The DBD::MySQL driver is likely to have been written by someone competent, who understands how to do the correct quoting to make it injection proof; this is in contrast to typical user-level code, which has a good chance of getting it wrong. So even faked placeholders buy you security.

      Dave.

Re^3: Hacker Proofing My Script
by awohld (Hermit) on Oct 04, 2004 at 21:02 UTC
    jZed -

    So you say if my database, which is mySQL 3.22.32, supports placeholders, then I don't have to worry if the DBD supports or emulates them?

    Thanks
    Adam

      I don't know a heck of a lot about MySQL, but according to gmax's excellent New twist for DBD::mysql, DBD::mysql currently does emulate placeholders but in such a way as to preserve security. I'd suggest reading his node for further details.
        It doesn't seem to be totally secure:
        As for LIMIT ?,?. The reason why it was not supported since 2.9002 is that it allowed for sql injection attacks, and it is not trivial to fix, in fact, I *just* scanned over Patrick's code and found a bug in the LIMIT handling code
        as can be read in Re: New twist for DBD::mysql.

        CountZero

        "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://396364]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (4)
As of 2020-01-18 14:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?