Is DBI prepare() statement enough for SQL injection?

H

howa

I have just found a simple cases, which is not, e.g.

#--------------------------------------------------

use strict;
use DBI;
use Data::Dumper;

my $dbh = DBI-
connect("DBI:mysql:database=information_schema;host=localhost","root","",
Click to expand...
{ RaiseError => 1, AutoCommit => 1 });

my $input = "%a"; # User hack by using wildcard

my $sth = $dbh->prepare("SELECT * FROM `CHARACTER_SETS` WHERE
`CHARACTER_SET_NAME` LIKE ? ") ;
$sth->execute( $input . "%") ; # Originally you let the user search by
prefix

while ( my $data = $sth->fetchrow_hashref() ) {
print Dumper $data;
}

#--------------------------------------------------

So we should not 100% believe in prepare() which make you100% SQL
injection free.

Any other cases want to share?

Howard
 
X

xhoster

howa said:
I have just found a simple cases, which is not, e.g.

#--------------------------------------------------

use strict;
use DBI;
use Data::Dumper;

my $dbh = DBI-
{ RaiseError => 1, AutoCommit => 1 });

my $input = "%a"; # User hack by using wildcard
Click to expand...

That is not SQL injection.
my $sth = $dbh->prepare("SELECT * FROM `CHARACTER_SETS` WHERE
`CHARACTER_SET_NAME` LIKE ? ") ;
$sth->execute( $input . "%") ; # Originally you let the user search by
prefix
Click to expand...

What do you mean by "originally"? You have shown us only one version
of your code, there is no "originally".

So we should not 100% believe in prepare() which make you100% SQL
injection free.
Click to expand...

There is no SQL injection. The submitted value did not escape from what
was intended to be a data value out into general SQL syntax. It stayed in
the data value. The fact that that data value can be something you don't
want does not make an SQL injection.
Any other cases want to share?
Click to expand...

There are thousands of ways to be incompetent. You want a listing of
all of them?

Xho

--
-------------------- http://NewsReader.Com/ --------------------
The costs of publication of this article were defrayed in part by the
payment of page charges. This article must therefore be hereby marked
advertisement in accordance with 18 U.S.C. Section 1734 solely to indicate
this fact.
 
J

Joost Diepenmaat

howa said:
my $sth = $dbh->prepare("SELECT * FROM `CHARACTER_SETS` WHERE
`CHARACTER_SET_NAME` LIKE ? ") ;
$sth->execute( $input . "%") ; # Originally you let the user search by
prefix
Click to expand...

That's no different from cases where you pass values to SQL predicates
or functions: placeholders only make sure your values are passed as is,
IOW they only take care of quoting. They don't prevent you from passing
values that you don't like.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Is prepare statement enough for SQL injection? 12
SQL Injection and DBI placeholders 4
DBI problem: Can't connect to MySQL server on 'localhost' (10061 4
Class::DBI is sooooooooooo slow 1
DBI problems 4
Fail extracting table from .mdb file using DBI module 6
getting DBI and ODBC to work with PERL and MYSQL data source 1
dbi ODBC problem executing prepared statement taking datetime type 0

Members online

Total: 35 (members: 3, guests: 32)
Robots: 235

Forum statistics

Threads
473,764
Messages
2,569,566
Members
45,041
Latest member
RomeoFarnh

Latest Threads

Top