Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re^3: Hacker Proofing My Script

by CountZero (Bishop)
on Oct 04, 2004 at 20:15 UTC ( #396375=note: print w/replies, xml ) Need Help??


in reply to Re^2: Hacker Proofing My Script
in thread Hacker Proofing My Script

Quite right, thanks for refreshing my memory! But I was not entirely wrong here: what is OK on one DB might be terribly insecure on another.

In that respect, MySQL supports prepared statements only since its version 4.1 and unless DBD::MySQL is updated to take advantage of it (I didn't think so), could it be that the placeholder-magic is faked by DBD/DBD::MYSLQ and that it simply relies on quoting and interpolating the placeholders? That would of course be a Bad Thing.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Replies are listed 'Best First'.
Re^4: Hacker Proofing My Script
by dave_the_m (Monsignor) on Oct 04, 2004 at 21:19 UTC
    could it be that the placeholder-magic is faked by DBD/DBD::MYSLQ and that it simply relies on quoting and interpolating the placeholders? That would of course be a Bad Thing.
    Not necessarily. The DBD::MySQL driver is likely to have been written by someone competent, who understands how to do the correct quoting to make it injection proof; this is in contrast to typical user-level code, which has a good chance of getting it wrong. So even faked placeholders buy you security.

    Dave.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://396375]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (5)
As of 2020-01-29 11:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?