Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re: is this mentality safe?

by nferraz (Monk)
on May 18, 2007 at 10:48 UTC ( [id://616178]=note: print w/replies, xml ) Need Help??


in reply to is this mentality safe?

"As long as I taint and use placeholders with DBI, theres no way they'll ever be a SQL injection through this web app"

Tainting helps, but won't solve the problem, because it's always possible to untaint poorly (e.g., if you black list unacceptable patterns, instead of white listing the acceptable ones).

Do you think that placeholders, by themselves, entirelly solve the problem of SQL injections? That's the question.

Replies are listed 'Best First'.
Re^2: is this mentality safe?
by clinton (Priest) on May 18, 2007 at 11:04 UTC
    I stand under correction, but I would say yes. The reason being that everything in a placeholder goes via $dbh->quote(), so unless there is a bug in the quoting code, it should be fine.

    Also, DBI runs only one command at a time, so sticking two commands in there (as is usually done with SQL injections), shouldn't succeed.

    YMMV

    clint

[reply]
[d/l]

      Yes, the DBI documentation says that only one command should be run at a time. That is more of a recommendation of how the DBI is intended to be used. It is not necessarily descriptive of what will be accepted. Whether multiple commands are accepted is up to the individual drivers and databases:

      In ODBC terms, the DBI is in "pass-thru" mode, although individual drivers might not be.
      - The DBI documentation

      I have seen DBD::Mysql and DBD::Sybase accept multiple commands at a time. I don't know about other drivers.

      But, as you say, unless there's a bug in the quoting code, placeholders are quite safe. They won't necessarily prevent you from running multiple commands at once, but they will prevent user-supplied data from being interpreted as SQL commands.

[reply]
Re^2: is this mentality safe?
by Errto (Vicar) on May 18, 2007 at 21:13 UTC
    If you never include user-supplied data directly in a SQL statement passed to DBI, then yes, you have entirely solved the problem of SQL injection. Placeholders are the tool that lets you do that.
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://616178]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (2)
As of 2026-01-17 15:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    What's your view on AI coding assistants?





    Results (121 votes). Check out past polls.
    Notices?
    hippoepoptai's answer Re: how do I set a cookie and redirect was blessed by hippo!
    erzuuliAnonymous Monks are no longer allowed to use Super Search, due to an excessive use of this resource by robots.