SQL Injection and DBI placeholders

U

Ulrich Herbst

Hi!

I want to insert data from user input into a database (with DBI):

my $sth = $dbh->prepare(q(
INSERT INTO table
(col1,col2,col3)
VALUES (? ,? ,? )
));
my $rc=$sth->execute($data1,$data2,$data3);

Have I to deal with SQL Injection if I use DBI placeholders ?

With other words: Have I to "untaint" $data1, $data2, $data3 ?

(Yes, I know, that bind variables/placeholders can be much faster)

Uli

--
'''
(0 0)
+------oOO----(_)--------------+
| |
| Ulrich Herbst |
| |
+-------------------oOO--------+
|__|__|
|| ||
ooO Ooo
 
C

ctcgag

Ulrich Herbst said:
Hi!

I want to insert data from user input into a database (with DBI):

my $sth = $dbh->prepare(q(
INSERT INTO table
(col1,col2,col3)
VALUES (? ,? ,? )
));
my $rc=$sth->execute($data1,$data2,$data3);

Have I to deal with SQL Injection if I use DBI placeholders ?

No. Just by using placeholders you have already dealt with that
problem.

Xho
 
V

Vetle Roeim

No. Just by using placeholders you have already dealt with that
problem.

Is that independent of the database driver used? I'm wondering because I
remember seeing in a bug a JDBC driver a while back, that made SQL
injection possible, even *with* placeholders.
 
G

gnari

Vetle Roeim said:
Is that independent of the database driver used? I'm wondering because I
remember seeing in a bug a JDBC driver a while back, that made SQL
injection possible, even *with* placeholders.

well, a bug is a bug.

if you use placeholders, it is the driver's/database's
responsibility to take care of this.

gnari
 
V

Vetle Roeim

well, a bug is a bug.

I believe I also heard of a JDBC driver that implemented placeholders by
replacing the ? in the string with the parameters, without checking them,
before sending the whole string to the database. This is an extreme
example, of course, and I doubt anyone would do it like that today.

Anyway; my point is that blindly trusting the database driver may not be a
good idea, but that depends on what you're doing and how paranoid you are.
I usually trust the database driver myself, but I like playing the devils
advocate when I see someone claiming that placeholders prevent SQL
injection, pointing out that they're not magic and that they are subject
to the same rules as all other software. :)

if you use placeholders, it is the driver's/database's
responsibility to take care of this.

Sure, but it's my problem if it doesn't do it properly. ;)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top