SQL Injection Queries in Perl/CGI

Muskovitz has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks,
i got a problem in logging in, posting in my recently created Perl webpage here's my cut code

Login - Code
my $type="mysql";
my $database="database_one";
my $host="localhost";
my $port="3306";
my $user="root";
my $pwd="*****";
my $dsn="dbi:$type:$database:$host:$port";
my $connect=DBI->connect($dsn,$user,$pwd);

>> HTML CODE HERE <<

$query=qq{SELECT * FROM login WHERE username=? AND password=?};
$queryhandle=$connect->prepare($query);
my $login=$queryhandle->execute($param{username},$param{password});
if($login!=0){
 ...
}else{
 ...
}

Post - Code

>>HTML CODE HERE<<
$query=qq{INSERT INTO feed(details,name,date)VALUES(?,?,?)};
$queryhandle=$connect->prepare($query);
$queryhandle->execute("$postparam{details}","$postparam{name}","$postp
+aram{date}");
$queryhandle->finish;

...
[download]

Every time i use this SQL query "or '1'='1 ' or 'x'='x'" I redirect to a page 403 forbidden any idea on how to get rid of this? Thanks in advance!

Comment on SQL Injection Queries in Perl/CGI Download Code

Replies are listed 'Best First'.
Re: SQL Injection Queries in Perl/CGI by hardburn (Abbot) on Dec 11, 2015 at 14:35 UTC
You're using placeholders correctly, so what it's really saying is that there's no user in the database named `or '1'='1 '`. The query comes back with zero rows, and presumably something else in the code is seeing that and throwing the 403 (a perfectly reasonable response code for a bad username). Since you're using placeholders, it's likely that no SQL injection attacks are taking place--good job! As far as I can see from here, it's behaving exactly as it should. "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.	[reply] [d/l]
Re^2: SQL Injection Queries in Perl/CGI by Muskovitz (Scribe) on Dec 11, 2015 at 14:42 UTC
That's so great to hear it! But how can i fix this 403 forbidden?	[reply]
Re^3: SQL Injection Queries in Perl/CGI by hardburn (Abbot) on Dec 11, 2015 at 14:50 UTC
From what I can tell, there's nothing that needs to be fixed. If the app is meant to throw a 403 when an invalid username is sent, then it's doing the right thing as it is. Is it supposed to do something else when it gets an invalid user? "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.	[reply]
Re^4: SQL Injection Queries in Perl/CGI by chacham (Prior) on Dec 11, 2015 at 15:13 UTC
Re^5: SQL Injection Queries in Perl/CGI by hardburn (Abbot) on Dec 11, 2015 at 15:48 UTC
Re: SQL Injection Queries in Perl/CGI by chacham (Prior) on Dec 11, 2015 at 15:17 UTC
As hardburn pointed out, the code is fine. The query is parametrized, and therefore protected against (common) SQL injection. You can test if the statements are working by dumping the results of the query somewhere. Also, a 403 is returned by the web server. You can consult its logs to see what was passed.	[reply]
Re^2: SQL Injection Queries in Perl/CGI by Muskovitz (Scribe) on Dec 11, 2015 at 15:20 UTC
Thanks for replying... and yes hardburn when username/pasword is incorrect then there's an error message 'Username/Password is incorrect' yeah.. and i need to check my web server logs	[reply]