in reply to Essential CGI Security Practices

I'm occasionally employed to do security audits for programs both written in Perl and in other languages, and there's one mistake that consistantly pops up and earns me my wage. I've had to give the same piece of advice many many times:

If you're dealing with a database, quote your values - properly.

If you're using DBI and placeholders, then you should never have this problem. Alas, I've seen far too much code that will bomb unexpectedly when Ms O'Donnell enters her surname, or will cost thousands when someone requests a username of '; rollback; begin; drop table customers; commit;. (Note the leading tick.)

If you're doing database work and don't know about the DBI module and placeholders, then go and read up on them now. They're worth it. Really.


Paul Fenwick
Perl Training Australia