Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re^3: Hacker Proofing My Script

by CountZero (Bishop)
on Oct 04, 2004 at 20:15 UTC ( [id://396375]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Hacker Proofing My Script
in thread Hacker Proofing My Script

Quite right, thanks for refreshing my memory! But I was not entirely wrong here: what is OK on one DB might be terribly insecure on another.

In that respect, MySQL supports prepared statements only since its version 4.1 and unless DBD::MySQL is updated to take advantage of it (I didn't think so), could it be that the placeholder-magic is faked by DBD/DBD::MYSLQ and that it simply relies on quoting and interpolating the placeholders? That would of course be a Bad Thing.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Replies are listed 'Best First'.
Re^4: Hacker Proofing My Script
by dave_the_m (Monsignor) on Oct 04, 2004 at 21:19 UTC
    could it be that the placeholder-magic is faked by DBD/DBD::MYSLQ and that it simply relies on quoting and interpolating the placeholders? That would of course be a Bad Thing.
    Not necessarily. The DBD::MySQL driver is likely to have been written by someone competent, who understands how to do the correct quoting to make it injection proof; this is in contrast to typical user-level code, which has a good chance of getting it wrong. So even faked placeholders buy you security.

    Dave.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://396375]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others browsing the Monastery: (3)
As of 2024-04-16 06:24 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found