Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Preventing malicious T-SQL injection attacks

by davorg (Chancellor)
on Mar 05, 2007 at 12:54 UTC ( #603204=note: print w/replies, xml ) Need Help??


in reply to Preventing malicious T-SQL injection attacks

I second the idea of whitelisting the acceptable values for $SPROC and also using placeholders to insert the elements of @CHOICE into the SQL.

Combining the two ideas, might give something like this:

# %procs contains the names of the valid stored procs # together with the number of parameters each requires my %procs = ( proc1 => 2, proc2 => 0, proc3 => 1, # ... ); unless (exists $procs{$SPROC}) { die "Unknown stored proc: $SPROC\n"; } my $sql = "EXEC $SPROC ". join ', ', ('?') x $procs{$SPROC}; my $sth = $dbh->prepare($sql); $sth->execute(@CHOICE);

This code also has the advantage of dieing if the number of elements in @CHOICE doesn't match the expected number of parameters.

Replies are listed 'Best First'.
A reply falls below the community's threshold of quality. You may see it by logging in.
A reply falls below the community's threshold of quality. You may see it by logging in.
A reply falls below the community's threshold of quality. You may see it by logging in.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://603204]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (3)
As of 2021-03-01 06:06 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?