Re: Preventing malicious T-SQL injection attacks


Just another Perl shrine
	PerlMonks

Re: Preventing malicious T-SQL injection attacks

by davorg (Chancellor)

on Mar 05, 2007 at 12:54 UTC ( [id://603204]=note: print w/replies, xml )

Need Help??

in reply to Preventing malicious T-SQL injection attacks

I second the idea of whitelisting the acceptable values for $SPROC and also using placeholders to insert the elements of @CHOICE into the SQL.

Combining the two ideas, might give something like this:

# %procs contains the names of the valid stored procs
# together with the number of parameters each requires
my %procs = (
  proc1 => 2,
  proc2 => 0,
  proc3 => 1,
  # ...
);

unless (exists $procs{$SPROC}) {
  die "Unknown stored proc: $SPROC\n";
}

my $sql = "EXEC $SPROC ".
          join ', ', ('?') x $procs{$SPROC};

my $sth = $dbh->prepare($sql);
$sth->execute(@CHOICE);
[download]

This code also has the advantage of dieing if the number of elements in @CHOICE doesn't match the expected number of parameters.

<http://dave.org.uk>

"The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg

Comment on Re: Preventing malicious T-SQL injection attacks Download Code

Replies are listed 'Best First'.
A reply falls below the community's threshold of quality. You may see it by logging in.
A reply falls below the community's threshold of quality. You may see it by logging in.
A reply falls below the community's threshold of quality. You may see it by logging in.

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://603204]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others chanting in the Monastery: (4)

As of 2024-04-25 15:59 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found