Comments on: Programming Like It’s 1999

By: mike

mike — Sat, 11 Feb 2012 10:44:13 +0000

I’d love to see an example of how this looks on a site/page php/html
anyone have a link?

By: Name

Name — Mon, 19 Dec 2011 02:30:08 +0000

Bobby Tables! I don’t even have to click the link

By: Ed Avis

Ed Avis — Thu, 24 Nov 2011 19:59:41 +0000

Zefram gave an example of a case that your code misses. The point is that by ‘enumerating badness’, you make sure that if you’ve overlooked something it will be a vulnerability. Better to fail safe by rejecting anything not in a list of characters you know to be okay. Both solutions (yours and mine) need extending to handle additional characters: yours does not handle backslash correctly, and mine doesn’t do accented characters. But the consequences of that omission are different. You need to write the test so that even if you have missed something out (which will inevitably happen), it won’t leave you with SQL injection bugs. Losing some accented characters is a much more benign failure mode IMHO.

By: Dave Cross

Dave Cross — Thu, 24 Nov 2011 14:20:04 +0000

Good idea. See here.

By: Alex

Alex — Thu, 24 Nov 2011 14:12:05 +0000

This is a good example for newbies how things should happen in modern perl. I am going to show it to my students. But can you make a copy of original script, because it can dissappear.

By: Toby Inkster

Toby Inkster — Wed, 23 Nov 2011 17:07:08 +0000

The SQL standard way of escaping single quotes is not to backslash them, but to double them up. That is:

s{‘}{”}g

Of course, many SQL databases support backslash escaping instead of or as well as the SQL standard method.

By: Zefram

Zefram — Wed, 23 Nov 2011 12:05:02 +0000

Your single-quote escaping is *not* sufficient to avoid SQL injection. Most obviously, backslashes also need to be escaped. Specific exploit: I give you the string q{\');drop database imdb;-- }. You escape the single quote yielding q{\\');drop database imdb;-- }, and then stick it into quotes yielding q{insert into movie (...) values ('\\');drop database imdb;-- ', ...);}. The q{'\\'} parses as a complete string literal, representing a string containing a single backslash. You lose. The right way to embed data in SQL is to have a function whose input is a data object (in whatever form you're dealing with in Perl space) and whose output is a string of SQL source constituting an expression that will evaluate to the in-database representation of the same data. If you're dealing with a string (or anything that you represent as a string in SQL space) then you'd expect that output expression to be in the form of an SQL string literal. The concept generalises to all SQL data types, including ones that don't have a literal syntax, and to all types of object that you deal with in Perl space. Here's the specific logic that I developed at $ork to represent a Perl octet string as an SQL octet string:

my %char_escape = ( "\0" => "\\0", "'" => "\\'", "\\" => "\\\\" );
sub sql_octetstring($) {
    my($value) = @_;
    die "not an octet string"
      unless Params::Classify::is_string($value)
      && $value =~ /\A[\x00-\xff]*\z/;
    $value =~ s(([\0\'\\]))($char_escape{$1})eg;
    return "'$value'";
}

This is specifically for MySQL; you need to experiment to write the correct equivalent for your particular database. Also, obviously, if you're dealing with general Unicode then you'll need an encoding layer on top of this. You use it like "where title=@{[sql_octetstring($title)]}" or "values (@{[join(q(, ), map { sql_octetstring($film{$_}) } @fields)]})". The babycart operator is brilliant for this sort of thing, because it gives you all the right cues about the nesting that is logically occurring.

By: Dave Cross

Dave Cross — Wed, 23 Nov 2011 11:41:01 +0000

I can be confident that your version will break a lot of the data I get back from the API See an example. See how much non-alphanumeric data it includes?

I’m becoming more confident in my solution. The argument goes like this. You can only do nasty things to me if you can close my SQL statement and open a new one. All of my interpolated data is within single-quoted strings. Therefore, to start a new statement you need to close my string. But by escaping any single quotes in the data I’m preventing you from doing that.

What am I missing?

By: Ed Avis

Ed Avis — Wed, 23 Nov 2011 11:30:24 +0000

Escaping single quotes *might* be enough to avoid SQL injection attacks, or it might not be. Are you comfortable relying on it? I would prefer something more paranoid like

foreach (@fields) {
    $film{$_} = tr/A-Za-z0-9 /_/cs;
}

OK that might be a bit extreme, but you can be confident it is safe.

By: Stefan

Stefan — Tue, 22 Nov 2011 21:05:27 +0000

http://xkcd.com/327/
no more comments needed.