DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)]

[Kelly.Setzer () INGRAMENTERTAINMENT COM (Kelly.Setzer () INGRAMENTERTAINMENT COM)]

On Sat, Feb 05, 2000 at 12:47:17PM +0100, van der Meulen, Robert wrote:
> > In the end, *all* (let me repeat that... **ALL**) incoming user data
> > should be passed through quote(), onlynumbers(), or scrubtable()...NO
> > EXCEPTIONS!  Passing user data straight into a SQL query is asking for
> > someone to tamper with your database.

No exceptions.  Not even if something is supposed to fail with invalid
input.  Always check it.  You know you don't control the client.
You may be overestimating how much control you have over your backend,
supporting software, or development environment.

[ original message reordered so the reply makes more sense ]
> If the script acessing the database uses DBI, it's better to handle a query
> the following way:
>
> $sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)");
>
> Using the '?' placeholders takes care of quoting, and allows re-execute()ing
> the query with different parameters.

I think you have to do the statement quoting on your own.  The ? binds
arguments for the DBI execute method and automatically does escaping on
the values passed to execute().

$sth=$dbh->prepare(q{ INSERT INTO table (foo,bar) VALUES (?,?) });

> $sth->execute($evil-unquoted-string, $evil-unquoted-other-string);

However, using the '?' placeholders does simplify a great many things.
It can also be a tremendous performance boost over calling prepare
each time.

Kelly

--
Kelly Setzer, Interstitial Engineering, Ingram Entertainment, Inc.
(615)287-4863 kelly.setzer () ingramentertainment com http://www.accessingram.com
"Only those who dare to fail greatly can ever achieve greatly." -- JFK