[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Question: is this exploitable?
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] Question: is this exploitable?
- From: Jason Dixon <jason@dixongroup.net>
- Date: 18 Oct 2003 09:41:05 -0400
On Sat, 2003-10-18 at 09:18, Jonathan A. Zdziarski wrote:
> > $sth = $dbh->prepare("insert into projects
> > values(null,\"$project\")");
>
> $project = qq!"); delete from any_table where value in("!;
>
> executes:
>
> insert into projects values(null, ""); delete from any_table where value
> in("");
IIRC, using placeholders in your prepared statement should escape
everything properly. Something like:
my $insert_stmt = "insert into projects values (?,?)";
my $sth = $dbh->prepare($insert_stmt);
$sth->execute(NULL, $project);
Of course, it's still a good idea to filter $project through a known
good regex.
I highly suggest the following title by Kevin Meltzer and Brent
Michalski. The volume introduces the reader to CGI programming,
starting them off with good security practices, rather than trying to
tack it on as an after-thought.
Writing CGI Applications with Perl
Publisher: Addison-Wesley
ISBN: 0201710145
-J.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html