Bugtraq mailing list archives
DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)]
From: Kelly.Setzer () INGRAMENTERTAINMENT COM (Kelly.Setzer () INGRAMENTERTAINMENT COM)
Date: Mon, 7 Feb 2000 15:55:45 -0600
On Sat, Feb 05, 2000 at 12:47:17PM +0100, van der Meulen, Robert wrote:
In the end, *all* (let me repeat that... **ALL**) incoming user data should be passed through quote(), onlynumbers(), or scrubtable()...NO EXCEPTIONS! Passing user data straight into a SQL query is asking for someone to tamper with your database.
No exceptions. Not even if something is supposed to fail with invalid input. Always check it. You know you don't control the client. You may be overestimating how much control you have over your backend, supporting software, or development environment. [ original message reordered so the reply makes more sense ]
If the script acessing the database uses DBI, it's better to handle a query the following way: $sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)"); Using the '?' placeholders takes care of quoting, and allows re-execute()ing the query with different parameters.
I think you have to do the statement quoting on your own. The ? binds arguments for the DBI execute method and automatically does escaping on the values passed to execute(). $sth=$dbh->prepare(q{ INSERT INTO table (foo,bar) VALUES (?,?) });
$sth->execute($evil-unquoted-string, $evil-unquoted-other-string);
However, using the '?' placeholders does simplify a great many things. It can also be a tremendous performance boost over calling prepare each time. Kelly -- Kelly Setzer, Interstitial Engineering, Ingram Entertainment, Inc. (615)287-4863 kelly.setzer () ingramentertainment com http://www.accessingram.com "Only those who dare to fail greatly can ever achieve greatly." -- JFK
Current thread:
- RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) rain forest puppy (Feb 03)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Jaanus Kase (Feb 04)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Aaron Ross (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Jeremy Whittington (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Barclay Osborn (Feb 04)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) van der Meulen, Robert (Feb 05)
- DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)] Kelly.Setzer () INGRAMENTERTAINMENT COM (Feb 07)
- Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Jamie Fifield (Feb 05)
- Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Torsten Landschoff (Feb 08)
- <Possible follow-ups>
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) rain forest puppy (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Smith, Eric V. (Feb 09)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) W. Craig Trader (Feb 09)
- FireWall-1 FTP Server Vulnerability John McDonald (Feb 09)
- ASP Security Hole (fwd) bgreenbaum () SECURITYFOCUS COM (Feb 09)
- Re: ASP Security Hole (fwd) Rob Systhine (Feb 10)
- Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability Mikael Olsson (Feb 10)
- NT Service Pack requirements (Bell Atlantic DSL) Bob Kline (Feb 10)
(Thread continues...)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Jaanus Kase (Feb 04)