Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Re: Using-T and Untainting SQL

by sdyates (Scribe)
on Apr 29, 2002 at 17:09 UTC ( [id://162867]=note: print w/replies, xml ) Need Help??


in reply to Re: Using-T and Untainting SQL
in thread Using-T and Untainting SQL

So using placeholders prevents this from happening? The data is still sent to the db although not through the use of placeholders, but through other variables, cannot the hacker still intercept the information? I think this is where T comes in. I am looking into this right now.

ues I am trying to locate good documentation on the issue... nothing like a good technical doc to sink my teeth into.

Thanks
Simon

Replies are listed 'Best First'.
Re3: Using-T and Untainting SQL
by PotPieMan (Hermit) on Apr 29, 2002 at 18:55 UTC
    Take this as an example: 
    my $username = $query->('username');
# Do some input validation if necessary

# DBI code
my $sql = "SELECT * FROM users WHERE username = ?";
...
$sth->execute($username);

    [download]
    (Note: There are other ways of specifying values for placeholders and binding values, as it is referred to in the DBI documentation.)

    If a mailicious user were to pass in PotPieMan; DROP TABLE users for the username, the DBI module would parse this as the following: SELECT * FROM users WHERE username = 'PotPieMan; DROP TABLE users';

    and (most likely) return 0 rows. The point is that you, the programmer, have to worry A LOT LESS about getting every posssible case of SQL exploitation covered.

    --PotPieMan

[reply]
[d/l]
[select]

      Very well put!

      I can see why placeholders are very important. I have changed most of my code over to use placeholders. I have seen the light and under stand why it is important.

      So there is no big push to use Taint? From what I have read, Taint can invlove a bit of work and cause disruptions if not set up properly.

      Thanks

[reply]
        Taint mode makes your script as safe as possible because it makes you more paranoid about the data coming into your script. You should still put taint on your TO DO list, but you should be okay without it. This is, of course, assuming that you aren't making any system calls in your scripts (using backticks, system, exec, or any of the other means of calling an external file).

        Unfortunately, I couldn't find any good nodes on taint mode here, but I'll try and look some more. I did find the following:

        --PotPieMan

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://162867]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chanting in the Monastery: (3)
As of 2024-04-24 05:15 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found