Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic

Re^5: DBH Insert of Binary Data

by jZed (Prior)
on Mar 18, 2005 at 22:55 UTC ( #440823=note: print w/replies, xml ) Need Help??

in reply to Re^4: DBH Insert of Binary Data
in thread DBH Insert of Binary Data

Try this with your favorite DBD. The DBD and/or the RDBMS may prevent the injection at some later time, but the quote method has little to do with it.
    my $val = $dbh->quote(q{Boston;DELETE FROM myTable});
As for the quote method not messing up a binary, you're probably correct in most cases, but in cases where the DBD supports several escaping methods (e.g. both '' and \') it's possible to have problems. And even where it doesn't cause problems, you're adding three different steps to the process - quoting the Blob, unquoting the Blob, and parsing the Blob as a value within the SQL string.

Replies are listed 'Best First'.
Re^6: DBH Insert of Binary Data
by Joost (Canon) on Mar 19, 2005 at 01:36 UTC
    #!perl -w use strict; use DBI; my $dbh = DBI->connect('DBI:mysql:database=test','xxx','yyy',) || die; print $dbh->quote(q{Boston;DELETE FROM myTable}); __END__ 'Boston;DELETE FROM myTable'

    I don't see your point. If any DBD driver let's this through, (and DBD::mysql doesn't), it's a major bug. Yes, it might be inefficient, but it should never lead to a security risk if used correctly.

      > If any DBD driver let's this through, (and DBD::mysql 
      > doesn't), it's a major bug. 
        So now I'm getting curious: are there DBD drivers where you could get an SQL injection attack while still using the quote method correctly?

        Just to make myself as clear as I can: I agree that using placeholders is usually the best and most efficient technique, but I am under the impression that using quote() would (or at least, should) catch all attempts of "breaking out of" an SQL value.

        updated: s/attact/attack/

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://440823]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (3)
As of 2018-07-16 01:16 GMT
Find Nodes?
    Voting Booth?
    It has been suggested to rename Perl 6 in order to boost its marketing potential. Which name would you prefer?

    Results (330 votes). Check out past polls.