[13747] in bugtraq
DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm"
daemon@ATHENA.MIT.EDU (Kelly.Setzer@INGRAMENTERTAINMENT.C)
Tue Feb 8 02:54:52 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000207155545.B7811@ingramentertainment.com>
Date: Mon, 7 Feb 2000 15:55:45 -0600
Reply-To: Kelly.Setzer@ingramentertainment.com
From: Kelly.Setzer@INGRAMENTERTAINMENT.COM
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200002051147.MAA12247@picard.cistron.nl>; from van der Meulen,
Robert on Sat, Feb 05, 2000 at 12:47:17PM +0100
On Sat, Feb 05, 2000 at 12:47:17PM +0100, van der Meulen, Robert wrote:
> > In the end, *all* (let me repeat that... **ALL**) incoming user data
> > should be passed through quote(), onlynumbers(), or scrubtable()...NO
> > EXCEPTIONS! Passing user data straight into a SQL query is asking for
> > someone to tamper with your database.
No exceptions. Not even if something is supposed to fail with invalid
input. Always check it. You know you don't control the client.
You may be overestimating how much control you have over your backend,
supporting software, or development environment.
[ original message reordered so the reply makes more sense ]
> If the script acessing the database uses DBI, it's better to handle a query
> the following way:
>
> $sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)");
>
> Using the '?' placeholders takes care of quoting, and allows re-execute()ing
> the query with different parameters.
I think you have to do the statement quoting on your own. The ? binds
arguments for the DBI execute method and automatically does escaping on
the values passed to execute().
$sth=$dbh->prepare(q{ INSERT INTO table (foo,bar) VALUES (?,?) });
> $sth->execute($evil-unquoted-string, $evil-unquoted-other-string);
However, using the '?' placeholders does simplify a great many things.
It can also be a tremendous performance boost over calling prepare
each time.
Kelly
--
Kelly Setzer, Interstitial Engineering, Ingram Entertainment, Inc.
(615)287-4863 kelly.setzer@ingramentertainment.com http://www.accessingram.com
"Only those who dare to fail greatly can ever achieve greatly." -- JFK
