SQL Injection and DBI placeholders

Discussion in 'Perl Misc' started by Ulrich Herbst, Jun 15, 2004.

  1. Hi!

    I want to insert data from user input into a database (with DBI):

    my $sth = $dbh->prepare(q(
    INSERT INTO table
    (col1,col2,col3)
    VALUES (? ,? ,? )
    ));
    my $rc=$sth->execute($data1,$data2,$data3);

    Have I to deal with SQL Injection if I use DBI placeholders ?

    With other words: Have I to "untaint" $data1, $data2, $data3 ?

    (Yes, I know, that bind variables/placeholders can be much faster)

    Uli

    --
    '''
    (0 0)
    +------oOO----(_)--------------+
    | |
    | Ulrich Herbst |
    | |
    +-------------------oOO--------+
    |__|__|
    || ||
    ooO Ooo
     
    Ulrich Herbst, Jun 15, 2004
    #1
    1. Advertising

  2. Ulrich Herbst

    Guest

    Ulrich Herbst <> wrote:
    > Hi!
    >
    > I want to insert data from user input into a database (with DBI):
    >
    > my $sth = $dbh->prepare(q(
    > INSERT INTO table
    > (col1,col2,col3)
    > VALUES (? ,? ,? )
    > ));
    > my $rc=$sth->execute($data1,$data2,$data3);
    >
    > Have I to deal with SQL Injection if I use DBI placeholders ?


    No. Just by using placeholders you have already dealt with that
    problem.

    Xho

    --
    -------------------- http://NewsReader.Com/ --------------------
    Usenet Newsgroup Service $9.95/Month 30GB
     
    , Jun 15, 2004
    #2
    1. Advertising

  3. Ulrich Herbst

    Vetle Roeim Guest

    On 15 Jun 2004 16:14:35 GMT, <> wrote:

    > Ulrich Herbst <> wrote:
    >> Hi!
    >>
    >> I want to insert data from user input into a database (with DBI):
    >>
    >> my $sth = $dbh->prepare(q(
    >> INSERT INTO table
    >> (col1,col2,col3)
    >> VALUES (? ,? ,? )
    >> ));
    >> my $rc=$sth->execute($data1,$data2,$data3);
    >>
    >> Have I to deal with SQL Injection if I use DBI placeholders ?

    >
    > No. Just by using placeholders you have already dealt with that
    > problem.


    Is that independent of the database driver used? I'm wondering because I
    remember seeing in a bug a JDBC driver a while back, that made SQL
    injection possible, even *with* placeholders.



    --
    Touch eyeballs to screen for cheap laser surgery!
     
    Vetle Roeim, Jun 16, 2004
    #3
  4. Ulrich Herbst

    gnari Guest

    "Vetle Roeim" <> wrote in message
    news:eek:...
    > On 15 Jun 2004 16:14:35 GMT, <> wrote:
    >
    > > Ulrich Herbst <> wrote:
    > >> Have I to deal with SQL Injection if I use DBI placeholders ?

    > >
    > > No. Just by using placeholders you have already dealt with that
    > > problem.

    >
    > Is that independent of the database driver used? I'm wondering because

    I
    > remember seeing in a bug a JDBC driver a while back, that made SQL
    > injection possible, even *with* placeholders.


    well, a bug is a bug.

    if you use placeholders, it is the driver's/database's
    responsibility to take care of this.

    gnari
     
    gnari, Jun 16, 2004
    #4
  5. Ulrich Herbst

    Vetle Roeim Guest

    On Wed, 16 Jun 2004 08:13:02 -0000, gnari <> wrote:

    >
    > "Vetle Roeim" <> wrote in message
    > news:eek:...
    >> On 15 Jun 2004 16:14:35 GMT, <> wrote:
    >>
    >> > Ulrich Herbst <> wrote:
    >> >> Have I to deal with SQL Injection if I use DBI placeholders ?
    >> >
    >> > No. Just by using placeholders you have already dealt with that
    >> > problem.

    >>
    >> Is that independent of the database driver used? I'm wondering
    >> because

    > I
    >> remember seeing in a bug a JDBC driver a while back, that made SQL
    >> injection possible, even *with* placeholders.

    >
    > well, a bug is a bug.


    I believe I also heard of a JDBC driver that implemented placeholders by
    replacing the ? in the string with the parameters, without checking them,
    before sending the whole string to the database. This is an extreme
    example, of course, and I doubt anyone would do it like that today.

    Anyway; my point is that blindly trusting the database driver may not be a
    good idea, but that depends on what you're doing and how paranoid you are.
    I usually trust the database driver myself, but I like playing the devils
    advocate when I see someone claiming that placeholders prevent SQL
    injection, pointing out that they're not magic and that they are subject
    to the same rules as all other software. :)


    > if you use placeholders, it is the driver's/database's
    > responsibility to take care of this.


    Sure, but it's my problem if it doesn't do it properly. ;)


    --
    Touch eyeballs to screen for cheap laser surgery!
     
    Vetle Roeim, Jun 16, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ulloa
    Replies:
    1
    Views:
    546
    Juha Laiho
    Jul 22, 2004
  2. Asby

    Mason, DBI, and DBI::Pg

    Asby, Jul 24, 2003, in forum: Perl Misc
    Replies:
    0
    Views:
    193
  3. iain
    Replies:
    2
    Views:
    188
  4. howa
    Replies:
    2
    Views:
    135
    Joost Diepenmaat
    Feb 25, 2008
  5. david
    Replies:
    4
    Views:
    188
    Frank Seitz
    Feb 12, 2009
Loading...

Share This Page