Re: SQL Injection Queries in Perl/CGI

You're using placeholders correctly, so what it's really saying is that there's no user in the database named or '1'='1 '. The query comes back with zero rows, and presumably something else in the code is seeing that and throwing the 403 (a perfectly reasonable response code for a bad username). Since you're using placeholders, it's likely that no SQL injection attacks are taking place--good job!

As far as I can see from here, it's behaving exactly as it should.

"There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

Comment on Re: SQL Injection Queries in Perl/CGI Download Code

Replies are listed 'Best First'.
Re^2: SQL Injection Queries in Perl/CGI by Muskovitz (Scribe) on Dec 11, 2015 at 14:42 UTC
That's so great to hear it! But how can i fix this 403 forbidden?	[reply]
Re^3: SQL Injection Queries in Perl/CGI by hardburn (Abbot) on Dec 11, 2015 at 14:50 UTC
From what I can tell, there's nothing that needs to be fixed. If the app is meant to throw a 403 when an invalid username is sent, then it's doing the right thing as it is. Is it supposed to do something else when it gets an invalid user? "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.	[reply]
Re^4: SQL Injection Queries in Perl/CGI by chacham (Prior) on Dec 11, 2015 at 15:13 UTC
there's nothing that needs to be fixed Except that it's logging in as root and not another user.	[reply]
Re^5: SQL Injection Queries in Perl/CGI by hardburn (Abbot) on Dec 11, 2015 at 15:48 UTC