From my point of view, saying use placeholder for security is akin to saying use Java for secuity. If you don't know WHY you need to use placeholders, then you should not be writing code that deals with sensitive data, for using placeholder and writing secure code are orthogonal. Placeholder do not make your code secure. Writing secure code makes your code secure wether or not you use placeholder. I'd even wager to say that most that does prepare(q{SELECT this FROM that WHERE data_col = '$value'}) will have many other esaly exploitable problems in the code, and the SQL injection would be the least of your worries.

The use of placeholders is normaly a feature that you will find in well-written code, but not always; I for one have seen code that uses $dbh->quote() to good effect (I know that the docs say that quote() is not required to be able to handle all input, but with some drivers quote and placeholder call the same functions). And, at times placeholders can give you a false sense of security, for example, in older version of DBD::mysql treating a string as a number in perl caused it not to be quoted when passed to a placeholder. Or how about that problem with the null byte in Postgres (I wonder if it could be exploited?) Or maybe you are dynamically generating SQL to use placeholders based on an abritray set of entries returned, but if you don't limit the set used to generate the where clause, instant segfault. eg. 

perl -MDBI -e '$h = 
DBI->connect("dbi:Pg:dbname=template1","",""); 
$h->prepare("?"x10000);'

perl -MDBI -e '$h = DBI->connect("dbi:oracle","","");
$h->prepare("?"x10000000);'

[download]

Both of the above problems would be fixed with good coding but not just using placeholders. (Site note, using $dbh->quote() would have worked just fine.)

Do not get me wrong; I am not saying not to use place holder... USE THEM!! I am saying that if you are going to write secure code you have to know why your code is secure and not just fall back on a litany of simple rules like 'use placeholders'

In reply to Know what you are doing For SECURITY! by tantarbobus
in thread Use placeholders. For SECURITY! by tilly

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.