Home page logo

bugtraq logo Bugtraq mailing list archives

DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)]
Date: Mon, 7 Feb 2000 15:55:45 -0600

On Sat, Feb 05, 2000 at 12:47:17PM +0100, van der Meulen, Robert wrote:
In the end, *all* (let me repeat that... **ALL**) incoming user data
should be passed through quote(), onlynumbers(), or scrubtable()...NO
EXCEPTIONS!  Passing user data straight into a SQL query is asking for
someone to tamper with your database.

No exceptions.  Not even if something is supposed to fail with invalid
input.  Always check it.  You know you don't control the client.
You may be overestimating how much control you have over your backend,
supporting software, or development environment.

[ original message reordered so the reply makes more sense ]
If the script acessing the database uses DBI, it's better to handle a query
the following way:

$sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)");

Using the '?' placeholders takes care of quoting, and allows re-execute()ing
the query with different parameters.

I think you have to do the statement quoting on your own.  The ? binds
arguments for the DBI execute method and automatically does escaping on
the values passed to execute().

$sth=$dbh->prepare(q{ INSERT INTO table (foo,bar) VALUES (?,?) });

$sth->execute($evil-unquoted-string, $evil-unquoted-other-string);

However, using the '?' placeholders does simplify a great many things.
It can also be a tremendous performance boost over calling prepare
each time.


Kelly Setzer, Interstitial Engineering, Ingram Entertainment, Inc.
(615)287-4863 kelly.setzer () ingramentertainment com http://www.accessingram.com
"Only those who dare to fail greatly can ever achieve greatly." -- JFK

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]