http://qs321.pair.com?node_id=730257


in reply to Yet another reason to use DBI placeholders

Hey, funny that. There's a SQL injection (https://rt.cpan.org/Ticket/Display.html?id=41565 in the latest DBD::Pg that works even in the face of placeholders.

> > $s=$d->prepare(q[select ? where 1=?], { pg_server_prepare => 0 });
> > $s->bind_param(2,undef,SQL_INTEGER);
> > $s->execute(1,"2; drop table x;");

[download]

⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊

Replies are listed 'Best First'.
Re^2: Yet another reason to use DBI placeholders
by mr_mischief (Monsignor) on Dec 16, 2008 at 03:10 UTC
    That's a scary one. Here's hoping it's fixed soon. I also hope that if the bind_param call is not made that "2; drop table x;" would be passed as a quoted string in the meantime.
[reply]

In Section Meditations