If you use DBI with placeholders in your SQL, you're fairly safe against injection of "evil" code.

I use something like this in my code: 

my $id = $cgi->param('user_id');
my $query = $dbh->prepare("SELECT columns FROM users WHERE id = ?");
$query->execute($id);

[download]

Since DBI handles the argument passing for me, the worst thing that can happen is that the type of the URL parameter doesn't match that of the column in the database, and the database handler dies with an error. (But since the user tried to subvert my page, I don't really care).

There is another problem though: You have to store the session. If your sessions live rather long, a malicious user agent could just request pages over and over again, and each time a new session is stored on disk.

The client simply discards the cookie, and your application will happily generate new cookies.

To ward against these kinds of attack you simply have to read your log files on a regular basis.

In reply to Re: What if the bad-guys send nonsense as a session-id? by moritz
in thread What if the bad-guys send nonsense as a session-id? by locked_user sundialsvc4

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.