[PLUG] SQL insertion attacks
Randal L. Schwartz
merlyn at stonehenge.com
Thu Oct 31 13:01:41 UTC 2002
>>>>> "Jeme" == Jeme A Brelin <jeme at brelin.net> writes:
Jeme> More importantly, use TAINT CHECKING!
Jeme> #!/usr/bin/perl -T
Jeme> This won't let you use user input (like the $search_for in the example
Jeme> above) without first running it through some kind of filter of your own
Jeme> devising (preferably a regex that escapes metacharacters and the like).
Jeme> I don't think I've written a piece of perl (other than one liners) in
Jeme> years that didn't begin:
Jeme> #!/usr/bin/perl -Tw
Jeme> use strict;
That's not enough to catch this. A DBI call is not considered
"outside world" enough for tainted data to be annoying.
Good intention, insufficient result.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
More information about the PLUG
mailing list