Beefy Boxes and Bandwidth Generously Provided by pair Networks DiBona
We don't bite newbies here... much
 
PerlMonks  

Re: SQL Injection myths under DBI

by etcshadow (Priest)
on Apr 12, 2005 at 19:51 UTC ( [id://447213]=note: print w/replies, xml ) Need Help??

This is an archived low-energy page for bots and other anonmyous visitors. Please sign up if you are a human and want to interact.


in reply to SQL Injection myths under DBI?

All I have to say is: give me a site you've built, and let's see how long it lasts.

Seriously. If I don't actually have control of your site within minutes, I can at least knock it off the net. 

------------
:Wq
Not an editor command: Wq

[download]

Replies are listed 'Best First'.
Re^2: SQL Injection myths under DBI?
by Andre_br (Pilgrim) on Apr 15, 2005 at 20:58 UTC
    Hello folks,

    Hey, I think one thing may have made me a little misunderstood on my intentions: I´ve posted the topic originally in the 'questions' section, not in the meditation. But it was moved by the administrator monks to this section, where it appeared as I was 'meditating', when in fact I was just 'asking'.

    So perhaps the right title now for this 'meditation' would include a question mark after the "SQL Injection myths under DBI". I will update it as that to make it sound less like I am definately giving some advice on tearing apart all the advices in CGI security we learn all the way from the Lhama book. I really wasn´t. So, I think, as this can have caused justified hot reactions of some of you. Sorry. Hey, tilly, no problem, man.

    Having said that, in fact null-byte really screws my idiot-solution (I assume!) of just escaping the single quote. I tested it and doesn´t matter which mess remains at the right side of the query, after the query injection - the null-byte really makes DBI unaware of aesthetics! It executes everything ´till the %00. Detail: if you want to thest this, don´t put the semicolon in the input, finish your evil query (on yourself, for test, we´re the good guys!) with the null-byte, not with semi-colon, otherwise it won´t work and you will end up like me, saying sql injection is not a problem when it really may be.

    Nevertheless, even with this technique, I couldn´t crack myself if the scaping of backslashes was included in the filtering of the input. I´ll go on searching the hacker manuals to see if I can find any way of overcome this, but it really seems as a paradox. If I can´t get a free-single quote to be inside the query, I can´t make the text I manage to input more than a strange string to be not-matched in the query. If you guys know of something, please post it up.

    Cheers

    André

[reply]
      could we not just delete the single quote(s) and other "bad" characters? 
      $input =~ s/\'|\"|\@//g;

      [download]
[reply]
[d/l]
        could we not just delete the single quote(s) and other "bad" characters?

        No. Just no.

        Use DBI properly, i.e. use prepared statement with placeholders, and if you have to pass identifiers from doubious sources (i.e. outside your code, like user or network), quote them using quote_identifier().

        DBI automatically handles all quoting issues for values when using placeholders. And quote_identifier() handles the little remaining bit, identifiers. All of this completely independant from the database actually used.

        Alexander

        --
        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://447213]
help
Sections?
Information?
Find Nodes?
Leftovers?
    Notices?
    hippoepoptai's answer Re: how do I set a cookie and redirect was blessed by hippo!
    erzuuliAnonymous Monks are no longer allowed to use Super Search, due to an excessive use of this resource by robots.