Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister

Re: SQL Injection myths under DBI

by etcshadow (Priest)
on Apr 12, 2005 at 23:51 UTC ( #447213=note: print w/replies, xml ) Need Help??

in reply to SQL Injection myths under DBI?

All I have to say is: give me a site you've built, and let's see how long it lasts.

Seriously. If I don't actually have control of your site within minutes, I can at least knock it off the net.

------------ :Wq Not an editor command: Wq

Replies are listed 'Best First'.
Re^2: SQL Injection myths under DBI?
by Andre_br (Pilgrim) on Apr 16, 2005 at 00:58 UTC
    Hello folks,

    Hey, I think one thing may have made me a little misunderstood on my intentions: Iīve posted the topic originally in the 'questions' section, not in the meditation. But it was moved by the administrator monks to this section, where it appeared as I was 'meditating', when in fact I was just 'asking'.

    So perhaps the right title now for this 'meditation' would include a question mark after the "SQL Injection myths under DBI". I will update it as that to make it sound less like I am definately giving some advice on tearing apart all the advices in CGI security we learn all the way from the Lhama book. I really wasnīt. So, I think, as this can have caused justified hot reactions of some of you. Sorry. Hey, tilly, no problem, man.

    Having said that, in fact null-byte really screws my idiot-solution (I assume!) of just escaping the single quote. I tested it and doesnīt matter which mess remains at the right side of the query, after the query injection - the null-byte really makes DBI unaware of aesthetics! It executes everything ītill the %00. Detail: if you want to thest this, donīt put the semicolon in the input, finish your evil query (on yourself, for test, weīre the good guys!) with the null-byte, not with semi-colon, otherwise it wonīt work and you will end up like me, saying sql injection is not a problem when it really may be.

    Nevertheless, even with this technique, I couldnīt crack myself if the scaping of backslashes was included in the filtering of the input. Iīll go on searching the hacker manuals to see if I can find any way of overcome this, but it really seems as a paradox. If I canīt get a free-single quote to be inside the query, I canīt make the text I manage to input more than a strange string to be not-matched in the query. If you guys know of something, please post it up.



      could we not just delete the single quote(s) and other "bad" characters?
      $input =~ s/\'|\"|\@//g;
        could we not just delete the single quote(s) and other "bad" characters?

        No. Just no.

        Use DBI properly, i.e. use prepared statement with placeholders, and if you have to pass identifiers from doubious sources (i.e. outside your code, like user or network), quote them using quote_identifier().

        DBI automatically handles all quoting issues for values when using placeholders. And quote_identifier() handles the little remaining bit, identifiers. All of this completely independant from the database actually used.


        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://447213]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (7)
As of 2020-02-25 13:49 GMT
Find Nodes?
    Voting Booth?
    What numbers are you going to focus on primarily in 2020?

    Results (110 votes). Check out past polls.