Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > Is DBI prepare() statement enough for SQL injection?

Reply
Thread Tools

Is DBI prepare() statement enough for SQL injection?

 
 
howa
Guest
Posts: n/a
 
      02-25-2008
I have just found a simple cases, which is not, e.g.

#--------------------------------------------------

use strict;
use DBI;
use Data:umper;

my $dbh = DBI-
>connect("DBI:mysql:database=information_schema;ho st=localhost","root","",

{ RaiseError => 1, AutoCommit => 1 });

my $input = "%a"; # User hack by using wildcard

my $sth = $dbh->prepare("SELECT * FROM `CHARACTER_SETS` WHERE
`CHARACTER_SET_NAME` LIKE ? ") ;
$sth->execute( $input . "%") ; # Originally you let the user search by
prefix

while ( my $data = $sth->fetchrow_hashref() ) {
print Dumper $data;
}

#--------------------------------------------------

So we should not 100% believe in prepare() which make you100% SQL
injection free.

Any other cases want to share?

Howard
 
Reply With Quote
 
 
 
 
xhoster@gmail.com
Guest
Posts: n/a
 
      02-25-2008
howa <(E-Mail Removed)> wrote:
> I have just found a simple cases, which is not, e.g.
>
> #--------------------------------------------------
>
> use strict;
> use DBI;
> use Data:umper;
>
> my $dbh = DBI-
> >connect("DBI:mysql:database=information_schema;ho st=localhost","root",
> >"",

> { RaiseError => 1, AutoCommit => 1 });
>
> my $input = "%a"; # User hack by using wildcard


That is not SQL injection.

>
> my $sth = $dbh->prepare("SELECT * FROM `CHARACTER_SETS` WHERE
> `CHARACTER_SET_NAME` LIKE ? ") ;
> $sth->execute( $input . "%") ; # Originally you let the user search by
> prefix


What do you mean by "originally"? You have shown us only one version
of your code, there is no "originally".


> So we should not 100% believe in prepare() which make you100% SQL
> injection free.


There is no SQL injection. The submitted value did not escape from what
was intended to be a data value out into general SQL syntax. It stayed in
the data value. The fact that that data value can be something you don't
want does not make an SQL injection.

> Any other cases want to share?


There are thousands of ways to be incompetent. You want a listing of
all of them?

Xho

--
-------------------- http://NewsReader.Com/ --------------------
The costs of publication of this article were defrayed in part by the
payment of page charges. This article must therefore be hereby marked
advertisement in accordance with 18 U.S.C. Section 1734 solely to indicate
this fact.
 
Reply With Quote
 
 
 
 
Joost Diepenmaat
Guest
Posts: n/a
 
      02-25-2008
howa <(E-Mail Removed)> writes:

> my $sth = $dbh->prepare("SELECT * FROM `CHARACTER_SETS` WHERE
> `CHARACTER_SET_NAME` LIKE ? ") ;
> $sth->execute( $input . "%") ; # Originally you let the user search by
> prefix


That's no different from cases where you pass values to SQL predicates
or functions: placeholders only make sure your values are passed as is,
IOW they only take care of quoting. They don't prevent you from passing
values that you don't like.

--
Joost Diepenmaat | blog: http://joost.zeekat.nl/ | work: http://zeekat.nl/
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
type casting for DBI SQL statement doesn't work stroncococcus Perl Misc 4 12-06-2006 11:29 PM
Is prepare statement enough for SQL injection? xhoster@gmail.com Perl Misc 12 06-05-2006 06:44 PM
DBI SQL column datatype not jiving with SQL statement requirement dna Perl 1 01-18-2004 04:15 PM
Enough is enough.... ajacobs2 Digital Photography 33 10-05-2003 12:14 PM
Resolution - when is Enough ENOUGH? (a personal view) VT Digital Photography 43 09-12-2003 11:15 AM



Advertisments