Velocity Reviews

Velocity Reviews (
-   Perl (
-   -   Re: A_Modest_1_bit_Proposal_about_Quotification_-_making_the_Default_Easy (

Morten Reistad 12-09-2011 12:06 AM

Re: A_Modest_1_bit_Proposal_about_Quotification_-_making_the_Default_Easy
In article <>,
Terje Mathisen <"terje.mathisen at"> wrote:
>Andy "Krazy" Glew wrote:
>> Listening to an old "Security Now" podcast while doing my morning
>> stretches.

>> ( provides examples,
>> as does wikip[edia.).

>You had me until this point Andy, that's a pretty good explanation of
>SQL injection.
>> The general solution to this is "quotification": take the user input,

>And here is where you go wrong:
>The general solution is to totally separate parsing from user input,
>i.e. in your example above you would first parse the SELECT statement,
>using question marks as placeholders for where you expect input.

Indeed. As telecom learned the hard way with blue boxing etc;
never have in-band command and signalling.

If it is in-band someone will find a way to unravel the protection.

>Later on you execute that prepared (i.e. parsed) statement, substituting
>the actual user input for the placeholders:
>I.e. in perl this looks like this:
> # Let the DB parser see only static strings like this:
> my $sth =
> # Get the possibly poisonous user input
> my $user_input = param('name');
> $sth->execute($user_input);
>> Perhaps better to make taintimg the default. To flip the polarity of the
>> special bit. And to require that language syntax, keywords, etcv., be
>> set only if the special bit is set.

>Perl actually has 'taint' as a builtin feature. :-)

Morten ';update taxes set tax = 0.0 where name like "morten%reistad";'

-- mrr

All times are GMT. The time now is 09:47 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.