On Sun, Sep 28, 2003 at 12:58:16PM -0700, Dave Anderson wrote:
> Tim, that link is dead.
Ah phoey. And the internet archive (archive.org) doesn't have a copy either.
> Also, it seems that the main thrust of the first
> article is in regards to stored procedures:
>
> (excerpted from first link below)
> To SQL inject and use PL/SQL packages, procedure or functions really
> requires a case of dynamic PL/SQL. If a form or application builds and
> executes dynamic PL/SQL in the same manner as described above, the same
> techniques can be used to insert calls to standard PL/SQL packages on
> any PL/SQL packages or functions that exist in the schema.
>
> So, is the argument presented on this thread that the use of DBI is
> equivalent to the use of stored procedures in terms of creating
> opportunities to SQL inject? Are you saying that, even though I use _no_
> stored procedures in this DB, I am at risk because I am interfacing to
> it with DBI? Or are you being really careful, telling me this "just in
> case" I _am_ using stored procedures?
There is a potential problem with any code that constructs a "command"
using data provided by users and passes it to an external system
(SQL database, UNIX command shell etc).
If the user input (which cannot be trusted) is not properly 'escaped'
there is a risk that
select * from table where id=$id
There are probably many systems on the web that let you enter a
number (say an order number) where you could enter something like
"0 or 1=1" and instead of getting one order displayed get all of
them. That's information leakage.
If the database is one that lets you pass multiple commands you can
have even more, er, fun. Try entering "0; delete from tablename;"
An oft-quoted fix is to use the $dbh->quote method to correctly
quote any strings entered (so any embedded quotes are escaped so
they can't terminate the string early). But as you can see from the
examples above, numeric values need care as well.
Using placeholders avoids the problem because a placeholder can't
be expanded into arbitrary sql text.
Tim.
> Thx,
>
> Dave A.
>
> Tim Bunce wrote:
>
> >On Sun, Sep 28, 2003 at 10:36:21AM +1000, Ron Savage wrote:
> >
> >>On Sat, 27 Sep 2003 01:53:46 -0700, Dave Anderson wrote:
> >>
> >>Hi Dave
> >>
> >>In case no-one mentioned it yet, you can read about SQL injection attacks
> >>here:
> >>
> >>http://www.securityfocus.com/infocus/1644
> >>
> >>This is a superb article.
> >
> >
> >And here: http://www.nextgenss.com/research/papers.html
> >
> >Tim.
> >
> >p.s. Both URLs are in the DBI docs.
> >
>
>
