[Catalyst] {OT] protecting against attacks with multilingual input
Brandon Black
blblack at gmail.com
Tue Dec 5 19:22:32 GMT 2006
On 12/5/06, Dave Howorth <dhoworth at mrc-lmb.cam.ac.uk> wrote:
> Brandon Black wrote:
> > On 12/5/06, Daniel McBrearty <danielmcbrearty at gmail.com> wrote:
> >
> >> This is what I'm talking about. I don't know this technique - I
> >> thought the only approach was to filter input. I'm using DBIx, AFAIK
> >> it does use placeholders ... ? If so, I can just take input, do some
> >> basic "sanity" filtering, and store?
> >
> > Yes, DBIC does use placeholders in most situations. However, the
> > NoBindVars-based Storage classes do not. This includes the notable
> > example of MSSQL via DBD::Sybase, which uses NoBindVars to work around
> > issues with FreeTDS and/or DBD::Sybase. The only really good way to
> > fix this is to fix the DBD's or underlying DB libraries to properly
> > support bind variables in all cases.
>
> If you can't use bind variables, can't you just use DBI's quote method
> to prevent SQL injection?
>
> $sql_safe = $dbh->quote($value);
>
NoBindVars does use $dbh->quote() in place of normal placeholder
support, but I'm still not entirely sure that's as safe as real
placeholders for certain attack strings on certain vendors. The code
that does this is here:
http://search.cpan.org/src/BRICAS/DBIx-Class-0.07003/lib/DBIx/Class/Storage/DBI/NoBindVars.pm
-- Brandon
More information about the Catalyst
mailing list