WebApp Sec mailing list archives
Re: SQL Injection Basics
From: "dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>
Date: Tue, 11 Feb 2003 23:32:40 -0700
perl/DBI/DBD to access a database like mysql, works great, and you don't even have to think about security, just remember to pass any variables in as bind variables. Here's an example: use DBI; $dbh = DBI->connect("DBI:$dbsystem:$dbname", $dbuser, $dbpass); $sth = $dbh->prepare("INSERT INTO contacts (name,email) VALUES (?,?)"); $sth->execute($name,$email);
true. Yes but I think we need to be paranoid anyhow.
Some people mentioned that if you use prepared statements "you lose compatibility with different database systems." If I understand DBI correctly, it was designed so the code written above will work with any database with only one modification: updating the global variable $dbsystem from "mysql" to "oracle" for example. Of course if you the database you're switching to has different "features" than the one you're switching from, there's nothing DBI can do to help you with that.
That is the intent of DBI:: Although this is the one I am most familiar with it is very specific.
So I would go so far as to say using DBI's prepared statements for database interaction is considered a "best practice" for securely accessing a database in perl. I'm curious if there's a central repository of other such "best practices" for other languages (ASP, java, PHP, etc.). I went to
AFAIK there isn't any for the langs you mention. Best Regards, dreamwvr () dreamwvr com -- /* Security is a work in progress - dreamwvr */ # # Note: To begin Journey type man afterboot,man help,man hier[.] # // "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \? ;-]
Current thread:
- RE: SQL Injection Basics, (continued)
- RE: SQL Injection Basics Logan F.D. Greenlee (Feb 10)
- RE: SQL Injection Basics Brass, Phil (ISS Atlanta) (Feb 11)
- RE: SQL Injection Basics Eric Appelboom (Feb 11)
- Re: SQL Injection Basics Kevin Spett (Feb 11)
- RE: SQL Injection Basics Patrick Debois (Feb 11)
- RE: SQL Injection Basics Logan F.D. Greenlee (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 11)
- Re: SQL Injection Basics Mark Curphey (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 12)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 12)
- Re: SQL Injection Basics Jim McGarvey (Feb 11)
- RE: SQL Injection Basics David Cameron (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
- RE: SQL Injection Basics Jason Benson (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
- Re: SQL Injection Basics Alex Russell (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
- RE: SQL Injection Basics Brass, Phil (ISS Atlanta) (Feb 13)
- Re: SQL Injection Basics Bart McKinnley (Feb 14)