Full Disclosure mailing list archives
Re: Question: is this exploitable?
From: Jason Dixon <jason () dixongroup net>
Date: 18 Oct 2003 09:41:05 -0400
On Sat, 2003-10-18 at 09:18, Jonathan A. Zdziarski wrote:
$sth = $dbh->prepare("insert into projects values(null,\"$project\")");$project = qq!"); delete from any_table where value in("!; executes: insert into projects values(null, ""); delete from any_table where value in("");
IIRC, using placeholders in your prepared statement should escape everything properly. Something like: my $insert_stmt = "insert into projects values (?,?)"; my $sth = $dbh->prepare($insert_stmt); $sth->execute(NULL, $project); Of course, it's still a good idea to filter $project through a known good regex. I highly suggest the following title by Kevin Meltzer and Brent Michalski. The volume introduces the reader to CGI programming, starting them off with good security practices, rather than trying to tack it on as an after-thought. Writing CGI Applications with Perl Publisher: Addison-Wesley ISBN: 0201710145 -J. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Question: is this exploitable? Paulo Pereira (Oct 18)
- Re: Question: is this exploitable? Jonathan A. Zdziarski (Oct 18)
- Re: Question: is this exploitable? Jason Dixon (Oct 18)
- Re: Question: is this exploitable? Randal L. Schwartz (Oct 18)
- Re: Question: is this exploitable? John Sage (Oct 18)
- Re: Question: is this exploitable? Codex (Oct 18)
- Re: Question: is this exploitable? Jonathan A. Zdziarski (Oct 18)
- Re: Question: is this exploitable? Paul Tinsley (Oct 18)
- Re: Question: is this exploitable? Jonathan A. Zdziarski (Oct 18)
- Re: Question: is this exploitable? Paul Tinsley (Oct 18)
- Re: Question: is this exploitable? Jonathan A. Zdziarski (Oct 18)
- Re: Question: is this exploitable? Jonathan A. Zdziarski (Oct 18)