[PLUG] SQL insertion attacks

Randal L. Schwartz merlyn at stonehenge.com
Wed Oct 30 18:28:43 UTC 2002


>>>>> "Rich" == Rich Shepard <rshepard at appl-ecosys.com> writes:

Rich>   Thanks, Matt. Perhaps I should rephrase my question to ask if
Rich> anyone knows of such a breech of a linux-hosted site. I don't
Rich> run a web server here but I'm curious.

The "linux" part of the hosting is irrelevant.  It's just that
there's an "impedence mismatch" between Web Form Fields and
SQL, so you have to bridge the gap with a decent language (like Perl),
and when you don't do it right, people might be able to include
SQL-metacharacters into their data and "the fun begins".

Hint: this is wrong:

my $search_for = param('search_for');
my $query = "SELECT name, address FROM atable WHERE name = '$search_for'";

For Perl, the key thing is *** use DBI placeholders ***.  It's amazing
how many people don't do that, and instead try to substitute into the
text.  Bleh.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!



More information about the PLUG mailing list