Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Perl (http://www.velocityreviews.com/forums/f17-perl.html)
-   -   Re: A_Modest_1_bit_Proposal_about_Quotification_-_making_the_Default_Easy (http://www.velocityreviews.com/forums/t806754-re-a_modest_1_bit_proposal_about_quotification_-_making_the_default_easy.html)

Morten Reistad 12-09-2011 12:06 AM

Re: A_Modest_1_bit_Proposal_about_Quotification_-_making_the_Default_Easy
 
In article <dfn7r8-n113.ln1@ntp6.tmsw.no>,
Terje Mathisen <"terje.mathisen at tmsw.no"> wrote:
>Andy "Krazy" Glew wrote:
>> Listening to an old "Security Now" podcast while doing my morning
>> stretches.
>>


>> (http://www.unixwiz.net/techtips/sql-injection.html provides examples,
>> as does wikip[edia.).

>
>You had me until this point Andy, that's a pretty good explanation of
>SQL injection.
>>
>> The general solution to this is "quotification": take the user input,

>
>And here is where you go wrong:
>
>The general solution is to totally separate parsing from user input,
>i.e. in your example above you would first parse the SELECT statement,
>using question marks as placeholders for where you expect input.


Indeed. As telecom learned the hard way with blue boxing etc;
never have in-band command and signalling.

If it is in-band someone will find a way to unravel the protection.

>Later on you execute that prepared (i.e. parsed) statement, substituting
>the actual user input for the placeholders:
>
>I.e. in perl this looks like this:
>
> # Let the DB parser see only static strings like this:
> my $sth =
> $dbh->prepare("SELECT FIELDLIST FROM TABLE WHERE NAME = '?'");
>
> # Get the possibly poisonous user input
> my $user_input = param('name');
> $sth->execute($user_input);
>
>[snip]
>> Perhaps better to make taintimg the default. To flip the polarity of the
>> special bit. And to require that language syntax, keywords, etcv., be
>> set only if the special bit is set.

>
>Perl actually has 'taint' as a builtin feature. :-)
>
>Terje


Morten ';update taxes set tax = 0.0 where name like "morten%reistad";'

-- mrr



All times are GMT. The time now is 09:47 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.