You are interpolating into a string and then using that string as a sprintf template. You are also not using placeholders, nor quoting things that go directly into the SQL.

Consider the following things that can go wrong when generating your SQL:

• The first character of $search is right next to a "%" character. So by putting in a character that sprintf recognizes, you can "steal" the number meant for the LIMIT clause.

  my $search = "foobar";
  printf "WHERE blah LIKE '%$search%' LIMIT %d,%d\n", 1, 2;
  
  # ... LIKE '%foobar' ...
  #           ^^
  
  # WHERE blah LIKE '1.000000oobar%' LIMIT 2,0
  [download]

• Steal both numbers meant for the LIMIT clause, since "%" symbols in $search are not escaped

  my $search = "f %d";
  printf "WHERE blah LIKE '%$search%' LIMIT %d,%d\n", 1, 2;
  
  # WHERE blah LIKE '1.000000 2%' LIMIT 0,0
  [download]

• Other special symbols are not escaped, and directly included in the SQL:

  my $search = "' OR '1' LIKE '1";
  printf "WHERE blah LIKE '%$search%' LIMIT %d,%d\n", 1, 2;
  
  # WHERE blah LIKE '%' OR '1' LIKE '1%' LIMIT 1,2
  [download]

You can even do nastier stuff with a sprintf injection attack -- like change the value of variables in the script! So it is not just the SQL statement or database that might be affected.

Solutions/suggestions:

• use DBI placeholders for inserting user-supplied data into the SQL statement (for automatic escaping of SQL special chars).
• Don't directly interpolate user-supplied data into a s/printf statement (to avoid sprintf injection).
• Don't use s/printf when you have "%" characters all over the SQL statement (it's not clear whether the "%" chars of the SQL statement will be eaten up by s/printf or not).

---

---

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

• How do I compose an effective node title?
• How do I post a question effectively?
• Markup in the Monastery

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		&
	<		&lt;
	>		&gt;
	[		&#91;
	]		&#93;

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.