Re: A_Modest_1_bit_Proposal_about_Quotification_-_making_the_Default_Easy

Discussion in 'Perl' started by Morten Reistad, Dec 9, 2011.

  1. In article <>,
    Terje Mathisen <"terje.mathisen at tmsw.no"> wrote:
    >Andy "Krazy" Glew wrote:
    >> Listening to an old "Security Now" podcast while doing my morning
    >> stretches.
    >>


    >> (http://www.unixwiz.net/techtips/sql-injection.html provides examples,
    >> as does wikip[edia.).

    >
    >You had me until this point Andy, that's a pretty good explanation of
    >SQL injection.
    >>
    >> The general solution to this is "quotification": take the user input,

    >
    >And here is where you go wrong:
    >
    >The general solution is to totally separate parsing from user input,
    >i.e. in your example above you would first parse the SELECT statement,
    >using question marks as placeholders for where you expect input.


    Indeed. As telecom learned the hard way with blue boxing etc;
    never have in-band command and signalling.

    If it is in-band someone will find a way to unravel the protection.

    >Later on you execute that prepared (i.e. parsed) statement, substituting
    >the actual user input for the placeholders:
    >
    >I.e. in perl this looks like this:
    >
    > # Let the DB parser see only static strings like this:
    > my $sth =
    > $dbh->prepare("SELECT FIELDLIST FROM TABLE WHERE NAME = '?'");
    >
    > # Get the possibly poisonous user input
    > my $user_input = param('name');
    > $sth->execute($user_input);
    >
    >[snip]
    >> Perhaps better to make taintimg the default. To flip the polarity of the
    >> special bit. And to require that language syntax, keywords, etcv., be
    >> set only if the special bit is set.

    >
    >Perl actually has 'taint' as a builtin feature. :)
    >
    >Terje


    Morten ';update taxes set tax = 0.0 where name like "morten%reistad";'

    -- mrr
     
    Morten Reistad, Dec 9, 2011
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim McCaffrey
    Replies:
    0
    Views:
    2,088
    Tim McCaffrey
    Dec 9, 2011
Loading...

Share This Page