RE: security advice needed
From: Ian Harisay [EMAIL PROTECTED] James H. McCullars [mailto:[EMAIL PROTECTED] wrote: So I need to make sure that if I do something like the standard: $sth = $dbh-prepare(INSERT INTO table(foo,bar,baz) VALUES (?,?,?)); and use the contents of the Subject: line as a value, some spammer couldn't put SQL code in the subject and have it interpreted. Something like: Subject: Increase your money; hello; use mysql; drop table users; or something to that effect. Would someone be able to do this, and if so, how would I guard against it? Thanks... The fact that you're using placeholders will prevent an SQL injection attack from happening. You're good to go. Unless of course the statement is a stored procedure call and the stored procedure uses some ad-hoc SQL inside. In which case the procedure should handle the escaping, but you sill have to take that into account. Jenda = [EMAIL PROTECTED] === http://Jenda.Krynicky.cz = When it comes to wine, women and song, wizards are allowed to get drunk and croon as much as they like. -- Terry Pratchett in Sourcery
security advice needed
Hi, we have a special address that our users can forward spam complaints to, and the number of complaints is exceeding what I can deal with manually. So I am thinking of automating this process and populating a database with things like local user, sending IP, sending relay address, subject, etc for each spam complaint that comes in. So I need to make sure that if I do something like the standard: $sth = $dbh-prepare(INSERT INTO table(foo,bar,baz) VALUES (?,?,?)); and use the contents of the Subject: line as a value, some spammer couldn't put SQL code in the subject and have it interpreted. Something like: Subject: Increase your money; hello; use mysql; drop table users; or something to that effect. Would someone be able to do this, and if so, how would I guard against it? Thanks... Jim McCullars University of Alabama in Huntsville
RE: security advice needed
The fact that you're using placeholders will prevent an SQL injection attack from happening. You're good to go. -Original Message- From: James H. McCullars [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 12, 2008 1:27 PM To: dbi-users@perl.org Subject: security advice needed Hi, we have a special address that our users can forward spam complaints to, and the number of complaints is exceeding what I can deal with manually. So I am thinking of automating this process and populating a database with things like local user, sending IP, sending relay address, subject, etc for each spam complaint that comes in. So I need to make sure that if I do something like the standard: $sth = $dbh-prepare(INSERT INTO table(foo,bar,baz) VALUES (?,?,?)); and use the contents of the Subject: line as a value, some spammer couldn't put SQL code in the subject and have it interpreted. Something like: Subject: Increase your money; hello; use mysql; drop table users; or something to that effect. Would someone be able to do this, and if so, how would I guard against it? Thanks... Jim McCullars University of Alabama in Huntsville
Re: security advice needed
On Wed, Nov 12, 2008 at 3:50 PM, Ulisses Montenegro [EMAIL PROTECTED] wrote: Also, if you ever need to display those values in any other potentially interpreted format (such as a Web page -- browsers interpret and render HTML), remember to escape them. Even if you are protecting yourself against SQL injection, you might end up vulnerable to XSS/CSRF attacks by displaying unescaped data in a web document. Ulisses see also http://search.cpan.org/~rsavage/HTML-Entities-Interpolate-1.00/lib/HTML/Entities/Interpolate.pm
RE: security advice needed
Also, if you ever need to display those values in any other potentially interpreted format (such as a Web page -- browsers interpret and render HTML), remember to escape them. Even if you are protecting yourself against SQL injection, you might end up vulnerable to XSS/CSRF attacks by displaying unescaped data in a web document. Ulisses On Wed, 2008-11-12 at 14:03 -0700, Ian Harisay wrote: The fact that you're using placeholders will prevent an SQL injection attack from happening. You're good to go. -Original Message- From: James H. McCullars [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 12, 2008 1:27 PM To: dbi-users@perl.org Subject: security advice needed Hi, we have a special address that our users can forward spam complaints to, and the number of complaints is exceeding what I can deal with manually. So I am thinking of automating this process and populating a database with things like local user, sending IP, sending relay address, subject, etc for each spam complaint that comes in. So I need to make sure that if I do something like the standard: $sth = $dbh-prepare(INSERT INTO table(foo,bar,baz) VALUES (?,?,?)); and use the contents of the Subject: line as a value, some spammer couldn't put SQL code in the subject and have it interpreted. Something like: Subject: Increase your money; hello; use mysql; drop table users; or something to that effect. Would someone be able to do this, and if so, how would I guard against it? Thanks... Jim McCullars University of Alabama in Huntsville -- Ulisses Reina Montenegro de Albuquerque AB34 A154 28C1 84A8 676E 202F 264B 117F 88BA B1A5 Tempest Security Intelligence [http://www.tempest.com.br/] In theory, theory and practice are the same. In practice, they are not.
