| Author |
Taint mode and SQL
|
|
| Tom Allison 2006-03-25, 6:57 pm |
| I was looking at some code of mine and it seems that there is a potential for a
problem here that I wasn't aware of.
I'm using CGI and DBI together and found that I can do the following under Taint
just fine.
my $username = $q->param('username');
and later one...
my $sql = "select .. from .. where username = '$username'";
my $ref = $dbh->selectrow_arrayref($sql)
with out any complaints.
I would have expected this to require me to do something to untaint the value in
$username.
Doesn't this lead to SQL injections?
Or is that only on update/insert/delete queries instead of select.
| |
| Chris Charley 2006-03-25, 6:57 pm |
|
----- Original Message -----
From: "Tom Allison" <tallison@tacocat.net>
Newsgroups: perl.beginners
To: "beginners perl" <beginners@perl.org>
Sent: Saturday, March 25, 2006 1:33 PM
Subject: Taint mode and SQL
>I was looking at some code of mine and it seems that there is a potential
>for a problem here that I wasn't aware of.
>
> I'm using CGI and DBI together and found that I can do the following under
> Taint just fine.
>
> my $username = $q->param('username');
> and later one...
> my $sql = "select .. from .. where username = '$username'";
> my $ref = $dbh->selectrow_arrayref($sql)
>
> with out any complaints.
>
> I would have expected this to require me to do something to untaint the
> value in $username.
>
> Doesn't this lead to SQL injections?
>
> Or is that only on update/insert/delete queries instead of select.
I don't know if this will be helpful, but here is a column by Randal
Schwartz describing SQL injection attacks.
http://www.stonehenge.com/merlyn/UnixReview/col58.html
| |
| Tom Phoenix 2006-03-25, 9:57 pm |
| On 3/25/06, Tom Allison <tallison@tacocat.net> wrote:
> I would have expected this to require me to do something to untaint the
> value in $username.
Think of taint checking as a big safety net with holes in it. It's
better than no net at all, but it's not perfect safety.
> Doesn't this lead to SQL injections?
Probably. i just heard Randal talking today about somebody whose name
was O'Brien. Every time he types "O'Brien" into a web form, he finds
out whether that form has an SQl injection vulnerability. :-) What
happens when there's an apostrophe in your username?
Hope this helps!
--Tom Phoenix
Stonehenge Perl Training
| |
|
| > I would have expected this to require me to do something to untaint the value in
> $username.
I've found that the Perl taint checker has rarely been incorrect since
that actual information is contained inside each variable. I'm more
inclined to think that Taint mode isn't on in that program.
If you're running under Apache2, you'll need to use a new directive
called PerlTaintCheck.
|
|
|
|