Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re^4: DBH Insert of Binary Data

by Joost (Canon)
on Mar 18, 2005 at 22:28 UTC ( [id://440817]=note: print w/replies, xml ) Need Help??


in reply to Re^3: DBH Insert of Binary Data
in thread DBH Insert of Binary Data

I mostly agree, but AFAIK, the $dbh->quote() method is (or should be) implemented by the specific DBD driver and should always escape correctly. Now, there might be situations or database where you can't just insert a quoted string in a BLOB, but SQL injection should not be possible with a $dbh->quote()d string.

The top post should remove the quotes around the quoted string, though, as $dbh->quote already provides them. Never mind, there aren't any.

Replies are listed 'Best First'.
Re^5: DBH Insert of Binary Data
by jZed (Prior) on Mar 18, 2005 at 22:55 UTC
    Try this with your favorite DBD. The DBD and/or the RDBMS may prevent the injection at some later time, but the quote method has little to do with it.
        my $val = $dbh->quote(q{Boston;DELETE FROM myTable});
    
    As for the quote method not messing up a binary, you're probably correct in most cases, but in cases where the DBD supports several escaping methods (e.g. both '' and \') it's possible to have problems. And even where it doesn't cause problems, you're adding three different steps to the process - quoting the Blob, unquoting the Blob, and parsing the Blob as a value within the SQL string.
      #!perl -w use strict; use DBI; my $dbh = DBI->connect('DBI:mysql:database=test','xxx','yyy',) || die; print $dbh->quote(q{Boston;DELETE FROM myTable}); __END__ 'Boston;DELETE FROM myTable'

      I don't see your point. If any DBD driver let's this through, (and DBD::mysql doesn't), it's a major bug. Yes, it might be inefficient, but it should never lead to a security risk if used correctly.

        > If any DBD driver let's this through, (and DBD::mysql 
        > doesn't), it's a major bug. 
        
        Agreed.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://440817]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (6)
As of 2024-03-29 01:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found