Full Disclosure mailing list archives

Re: Question: is this exploitable?

From: Paul Tinsley <pdt () jackhammer org>
Date: Sat, 18 Oct 2003 22:22:54 -0500

"Escaping quote characters might work OK in MySQL, but it is at bestonly a database-dependent solution."Nobody said anything about simply quoting a string, if you read thedescription I posted of quote, it does more than that. The functionthat we are talking about IS part of DBI, not some crazy cooked up thingthat was written just for MySQL. I never quoted the DBD::mysqldocumentation, all of that came directly from DBI. If the driver writerimplements all the calls DBI documents that are available, this shouldwork fine. If not, it's a problem with the driver, not with the user.

"You'd have to write an entirely different mechanism to untaint databound for Oracle...and another one for other different databaseimplementations."

That is DBD's job...

"For one, they keep you in a database-independent environment (whichmakes sense, since you're using DBI)."

Good thing he was suggesting to use part of DBI.

As for which is the better of the two ways, there was no argumentthere. I was simply answering your question as to how it protected fromSQL injection.


Thanks,
  Paul Tinsley

P.S. - If you wish to further debate it, I suggest we take it off list,we have definitely gone off topic at this point.


Jonathan A. Zdziarski wrote:

Escaping quote characters might work OK in MySQL, but it is at best only
a database-dependent solution.  Take a look at Oracle, instead of
double-quotes, single-quotes are used.  And instead of being escaped,
they are simply doubled (e.g. ' becomes '').  You'd have to write an
entirely different mechanism to untaint data bound for Oracle...and
another one for other different database implementations.

This is why placeholders are a better solution.  For one, they keep you
in a database-independent environment (which makes sense, since you're
using DBI).  For another, they insure you don't have to worry about
accidentally missing the escaping of some data.

On Sat, 2003-10-18 at 22:36, Paul Tinsley wrote:

I don't believe this is a true statement.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Question: is this exploitable? Paulo Pereira (Oct 18)
- Re: Question: is this exploitable? Jonathan A. Zdziarski (Oct 18)
  - Re: Question: is this exploitable? Jason Dixon (Oct 18)
- Re: Question: is this exploitable? Randal L. Schwartz (Oct 18)
  - Re: Question: is this exploitable? John Sage (Oct 18)
- Re: Question: is this exploitable? Codex (Oct 18)
  - Re: Question: is this exploitable? Jonathan A. Zdziarski (Oct 18)
    - Re: Question: is this exploitable? Paul Tinsley (Oct 18)
    - Re: Question: is this exploitable? Jonathan A. Zdziarski (Oct 18)
    - Re: Question: is this exploitable? Paul Tinsley (Oct 18)