Re: Use PPI to Find SQL Injection Attacks


There's more than one way to do things
	PerlMonks

Re: Use PPI to Find SQL Injection Attacks

by jZed (Prior)

on Aug 14, 2007 at 18:14 UTC ( [id://632560]=note: print w/replies, xml )

Need Help??

in reply to Use PPI to Find SQL Injection Attacks

Unless I'm misreading, some of the more serious false negatives include:


$dbh->do(qq{
    /* comment */ INSERT INTO foo VALUES('$bad_stuff')
});
$dbh->do(qq{
   INSERT INTO foo VALUES($bad_stuff)
});
$dbh->do( sprintf(
 "INSERT INTO foo VALUES(%s)", $bad_stuff
));
[download]

A better approach might be to find all the prepare() and do() statements and run them through a safe DBI subclass that does the prepare and evaluates what it prepared.

Comment on Re: Use PPI to Find SQL Injection Attacks Download Code

Replies are listed 'Best First'.
Re^2: Use PPI to Find SQL Injection Attacks by Ovid (Cardinal) on Aug 14, 2007 at 18:58 UTC
Excellent points on the SQL. I like the DBI subclass idea. Can you point me to some examples? I've never tried to do anything like that before. Cheers, Ovid New address of my CGI Course.	[reply]
Re^3: Use PPI to Find SQL Injection Attacks by jZed (Prior) on Aug 14, 2007 at 19:08 UTC
A minimal DBI subclass can be found here: Interpolate binds into SQL on error - DBI subclassing (possibly not the best example but since I wrote it I knew where to find it :-)). Basically you'd need to redefine execute() to do nothing, and redefine prepare() (in MyDBI::db) to do your injection checking.	[reply]

In Section Cool Uses for Perl

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://632560]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others learning in the Monastery: (2)

As of 2024-04-19 01:37 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found