On 8/27/2003 12:01 PM +0200, Wojciech Pietron wrote:
> I have recently read an article on SQL Injection
> (http://www.securityfocus.com/infocus/1644). I realize, that it is not
> possible to SQL inject a call that uses bind variables but there are
> cases when we have to create dynamic SQL.
>
> Has anybody ever tried to write a generic Perl package/function that
> checks dynamic sql against SQL Inject and untaints it? Before I do it
> myself, I would like to see what others have already done.
In Bugzilla we have the following routines that the data get passed through
before adding the data to the generated queries:
# Its much much better to use bound params instead of this
sub SqlQuote {
my ($str) = @_;
# Backwards compat code
return "''" if not defined $str;
my $res = Bugzilla->dbh->quote($str);
trick_taint($res);
return $res;
}
# don't use this unless you are absolutely positive the data is
# safe and you have no other choice
sub trick_taint {
$_[0] =~ /^(.*)$/s;
$_[0] = $1;
return (defined($_[0]));
}
sub detaint_natural {
$_[0] =~ /^(\d+)$/;
$_[0] = $1;
return (defined($_[0]));
}
SqlQuote() relies on the assumption that calling $dbh->quote() on a string
will quote the string in such a way that any SQL injected in it will appear
as part of the string and not as SQL. It calls trick_taint to
unconditionally detaint the string based on the assumption that it's now
safe for SQL.
Numeric parameters get passed through detaint_natural() prior to being
placed into the query. If detaint_natural returns an error (the data
passed wasn't a natural number), we throw an error to the user, as the data
is unusable.
--
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/
