Is DBI prepare() statement enough for SQL injection?

howa · Feb 25, 2008

I have just found a simple cases, which is not, e.g.

#--------------------------------------------------

use strict;
use DBI;
use Data:

umper;

my $dbh = DBI-

connect("DBI:mysql:database=information_schema;host=localhost","root","",

{ RaiseError => 1, AutoCommit => 1 });

my $input = "%a"; # User hack by using wildcard

my $sth = $dbh->prepare("SELECT * FROM `CHARACTER_SETS` WHERE
`CHARACTER_SET_NAME` LIKE ? ") ;
$sth->execute( $input . "%") ; # Originally you let the user search by
prefix

while ( my $data = $sth->fetchrow_hashref() ) {
print Dumper $data;
}

#--------------------------------------------------

So we should not 100% believe in prepare() which make you100% SQL
injection free.

Any other cases want to share?

Howard

xhoster · Feb 25, 2008

howa said:
I have just found a simple cases, which is not, e.g.

#--------------------------------------------------

use strict;
use DBI;
use Data:umper;

my $dbh = DBI-
{ RaiseError => 1, AutoCommit => 1 });

my $input = "%a"; # User hack by using wildcard

That is not SQL injection.

my $sth = $dbh->prepare("SELECT * FROM `CHARACTER_SETS` WHERE
`CHARACTER_SET_NAME` LIKE ? ") ;
$sth->execute( $input . "%") ; # Originally you let the user search by
prefix

What do you mean by "originally"? You have shown us only one version
of your code, there is no "originally".

So we should not 100% believe in prepare() which make you100% SQL
injection free.

There is no SQL injection. The submitted value did not escape from what
was intended to be a data value out into general SQL syntax. It stayed in
the data value. The fact that that data value can be something you don't
want does not make an SQL injection.

Any other cases want to share?

There are thousands of ways to be incompetent. You want a listing of
all of them?

Xho

--
-------------------- http://NewsReader.Com/ --------------------
The costs of publication of this article were defrayed in part by the
payment of page charges. This article must therefore be hereby marked
advertisement in accordance with 18 U.S.C. Section 1734 solely to indicate
this fact.

Joost Diepenmaat · Feb 25, 2008

howa said:
my $sth = $dbh->prepare("SELECT * FROM `CHARACTER_SETS` WHERE
`CHARACTER_SET_NAME` LIKE ? ") ;
$sth->execute( $input . "%") ; # Originally you let the user search by
prefix

That's no different from cases where you pass values to SQL predicates
or functions: placeholders only make sure your values are passed as is,
IOW they only take care of quoting. They don't prevent you from passing
values that you don't like.

Is prepare statement enough for SQL injection?	12	Jun 5, 2006
SQL Injection and DBI placeholders	4	Jun 15, 2004
DBI problem: Can't connect to MySQL server on 'localhost' (10061	4	Aug 24, 2011
Class::DBI is sooooooooooo slow	1	Apr 21, 2006
DBI problems	4	Feb 11, 2008
Fail extracting table from .mdb file using DBI module	6	Feb 10, 2008
getting DBI and ODBC to work with PERL and MYSQL data source	1	Mar 22, 2007
dbi ODBC problem executing prepared statement taking datetime type	0	Apr 27, 2006

Is DBI prepare() statement enough for SQL injection?

howa

xhoster

Joost Diepenmaat

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads