++ Perrin.

Let me just say that again: Bind variables are easy and improve performance under many databases. Just use them.

Regardless of what you may think, placeholders are strongly recommended for security.

While DBI currently has no native support for multiple queries, that support may be coming and it's possible for DBDs to implement it whether or not DBI does.

First of all you decided that you'd only worry about a '. But the substiution that you provide is beatable by having \'. Now you substitute it into \\', which is read as \ followed by an unescaped '. Oops.

Just to pick another random item you overlooked, what about a null byte? If the driver interfaces with a C library, many will terminate what they think is the string when they see a null byte. So someone can break out of a string, insert code, and terminate the SQL statement prematurely. Not a good idea.

In any case when it comes to security it is not enough to hope that things will work out OK. You have to be paranoid. Just because you can't see the exploit doesn't mean that it isn't there. Pre-emptively remove the possibility of being exploited and maybe that will be enough. Then a new class of exploits get discovered and you can get all worried again.

I upvoted him even if I don't entirely agree because I think this is a good debate to be had. I tried some of this stuff myself a few months ago, and was surprised that the typical sample SQL injection attacks you see advertised didn't work (on my database and dbd) because it didn't execute multiple statements. What may be different is that, even after noticing that I decided to keep using placeholders, for the same reasons others have cited in this thread.

In other words, I think it's good that the OP tried to figure out how things work, but I think one should be wary of extrapolating this too far and reach the conclusion that SQL injection is "impossible".

While I agree that it is good to try these things for yourself, I objected to his very wrong conclusion.

My dear tilly,

Please take a look at my last post, regarding the point you mentioned (that was already mentioned 2 times by other friends of ours).

Regarding null-byte, please explain how can I receive this through CGI.

Regarding the judgement youīve made, "abysmally stupid advice", please, my friend, this is not the place to be this rude. This is not behaviour for a monk!

André

It has already been pointed out that null bytes can be passed through CGI. This is an idea that has been successfully applied to attacking CGI scripts that make shell commands.

There are other tricks to use as well. For instance rather than try to get multiple SQL statements in there, you can put subqueries in. Like this:

\' or exists (delete from tblusers) or --
[download]

with -- attempting to use a more traditional comment to hide the closing '. It is likely that you'd need to try several variants of this to get something that would work, and it is possible that your database is immune. That doesn't mean that depending on that immunity is OK though, because you may continue to think that you are immune when you switch to a different database. In IIS with common configuration mistakes, for instance, a subquery like this can launch a remote shell giving you direct access to the database machine. Furthermore a later rev of your current database may add features that are currently missing - and you are no longer immune.

As for the perceived rudeness, I see two good options for you. The first is to regard me as a friend who cares enough to tell you honestly when you are making a terrible mistake. The second is to regard me as a not-friend who is warning other people that he might care about about how awful your advice is because he doesn't want to see them get hurt.

I'm willing to make either option become true.

In any case I didn't say that you are abysmally stupid, just that your advice was. And it really was, you are approaching security from exactly the wrong direction. Rather than say, "I couldn't figure out how to break this, I must be OK" you need to say, "I can guarantee that this is correct." Because even if you can't figure out the trick needed to make the attack work, that is no guarantee that some attacker out there who does this all of the time (rather than just takes a day or 2 to try to get it to work) won't know some trick that you didn't think of to get this to work. Open source provides a good demonstration. There is no shortage of cases where good, experienced programmers have looked at a programming mistake in open source code and proclaimed, "OK, this is bad but I don't think it is exploitable" only to find that shortly afterwards someone has figured out how to exploit it and the exploit is in the wild.

In short, if you catch yourself thinking, "Despite knowing that this is supposed to be bad, I think that this is OK because I don't see how an attacker would attack it" you're on the wrong path. You are opening yourself up to a game of wits that you might lose and is at best a draw for you. Why play that game? If you can easily guarantee safety, there is every reason to do so and no reason not to.

Regarding null-byte, please explain how can I receive this through CGI.

Easy:

scipt.cgi?name=admin'%00
[download]

Regarding the judgement youīve made, "abysmally stupid advice", please, my friend, this is not the place to be this rude. This is not behaviour for a monk!

Well, I think it is stupid advice :-) I'm not trying to be rude, and I'm not saying that you are stupid. You're quite right in questioning something that you see as cargo-cult programming. It's just that you are advocating ignoring something that is potentially dangerous without knowing the full scale of the problem.

"What should it profit a man, if he should win a flame war, yet lose his cool?"

Insults aside, tilly makes a good point here.
You conclude that ONLY the ' is a problem because you could not find a problem with any other character/sequence.
Now if anyone else finds a problem with any other character you are screwed.
Generally speaking, it is better to ALLOW characters that you know are safe (whitelisting) than to DISALLOW characters that you know are unsafe.

I second tilly's opinion that what you are saying is plainly wrong, and here are a few points that you shoudl consider:

• my $sth = $dbh->prepare ("select username, password from users where
  sid='?';" )
  [download]

  That is simply wrong.
  Placeholders must not be quoted. A placeholder means "leave it to the database driver to deal with any quoting business."
  

• this solution will cost you a hell of a work if you like the simplicity of the do() method and have used it all over your code

  What's wrong with using the do() method with placeholders?

  $dbh->do("INSERT INTO table (id, name) values (?, ?)", undef, $id, $na
  +me);
  [download]

• But what I could conclude, after a lot of thinking and, most of all, after testing all the supposedly harmfull examples in my little script, is that the only problem is the single quote

  That depends on the database you are using, and you should not be concerned about this matter, if you care to use the $dbh->quote method, which you should go and read in the docs.

The bottom line: I am afraid you don't know what you are talking about. Please read the docs more carefully.

$input = "\\'";
[download]

I agree -- sometimes, people are more paranoid than they need to be. They quote rules that might be be years or even decades out of date. They get to be like religious customs, where it might have once served a purpose, but no one knows why they do it any more. (eg, scavengers ate rotten food, and might carry disease ... but pork doesn't have nearly the same problems these days). I know that I've seen the semicolon not allowed bit for quite a few years, but I don't know if it was a function of DBI, or DBD::Oracle (which I know was when I noticed the issue ... about 4-5 years ago (~ DBI 1.14?)).

I would still argue for testing for tainted data, and using bind variables, even with the knowledge that these particular items aren't a problem, as it's just a good practice. It's possible that the underlying modules might change (I hope by accident, and not intentionally allowing semicolons and other such bad characters), but it's better for when you're not in an environment with such hand holding.

For instance, a true story from my college days -- I worked helpdesk for the general university computer labs. We ran a stock Solaris 2.5.1 system. The engineering school ran Solaris, but they had added some 'convenience' tweaks, such as aliasing 'rm' to 'rm -i'. This resulted in lots of people typing 'rm *' and expecting prompting for which files they wanted to remove... but well, when they got to our system, there'd be no prompting, and they'd delete everything. So, the moral of the story is -- don't depend on someone else letting you be sloppy. It doesn't take that much effort to check what you're passing in, and in most cases, the impact if something did go wrong, even if it's a low overall risk, just isn't worth saving a few keystrokes for.

Hello folks,

Thanks for the comments. In fact, this reveals much more like a matter of faith than reason. I agree that if there is a solution that is consensus, maybe itīs not necessary to explore alternatives that may pay their price for the heresy.

But, for we to continue our challenge of investigating if such a simple approach can wipe away the Sql injection fear, let me go on with the polemic. Please donīt take me bad, this can be a challenge for us. Even if is to prove that in fact, the consensus is right - but then weīll at least tried to be heretic!

As Aimi pointed, what if we had this:

$input = "\\'"; # these two backslashes will print a single backslash 
+in the SQL, but, as I will add one backslash before the single quote,
+ the result there will be just the same as you can see here.
[download]

The move Aimi suggested is: a backslashed backslash is printed literally in the sql and cancels the backslash my code uses to cancel the backslashed single quote. Wow, īthis is becoming philosophy!

In fact, cancels. But Iīve been thinking and, no problem. Hereīs the messy solution the backslash trick will put our cracker into. Remember our query:

select username, password from users where sid='$input';
[download]

...wich was cracked by entering this:

5' or 1='1
[download]

Now, heīd enter:

5\\' or 1=\\'1
[download]

...resulting in:(extra spaces to see clearly)

...where sid='    5\\' or 1=\\'1        ';
[download]

Can you see the problem? The first semicolon (in the variable being interpolated), ok, heīs out there, as the backslash before him lost itīs canceling power, canceled by the backslash before her. The second single quote is out there too, free by the same method. But, and hereīs the point, the second pair of backslash sql has screwed completely any chance of doing any valid sql statement!

With the first pair the mess is not a problem, as our "5" or whatever is a value that wonīt match anyway. But with the or 1='1 we really needed silence of mess! And now there is a \\ in the middle of the attempt to compose alternative permissive code!

As we have a '; waiting to be matched at the end of the query statement (see after $input), I canīt see any way of delivering any clean syntax that has a \\ in the middle. Any query you may think would have do end as something=' or something<' or something>' or something like ' or any operator, but the end must be a value wich delimitation cleanly started with a single quote. And, about that, we now know, this single quote can be there, but not without his happy new companion \\. Please, find any hack for this if you can.

André

Prematurely breaking a select can be just as bad as inserting additional statements; consider this:

my ($id) = $dbh->selectrow_array("SELECT id FROM users WHERE NAME='$na
+me' AND PASSWORD='$password'");
[download]

If I somehow manage to break the SQL statement in $name, my password will not be checked! Without a good quoting mechanism, you could break that with

$name = "admin\'\0";
[download]

or even

$name = "admin';";
[download]

Or whatever kind of escapes your specific DBD/database combination will allow. This is the main reason for using $dbh->quote() and placeholders - the quoting mechanism can be different for different databases, and they are a little more complex than you imagine. In effect, all you're doing is trying to reinvent the $dbh->quote() method.

Why reinvent the wheel when there already is one that's been especially made for your type of car, has been checked and double-checked, and is already safely attached to your car?

"What should it profit a man, if he should win a flame war, yet lose his cool?"

--. I'm in the "really bad advice please ignore" camp. Sorry :-)

For example:

As you can read from DBI manpage, the do() and prepare() methods happen to assume a single statement

Unless you're using a driver that does allow multiple statements. Like DBD::Sybase.

Update: I, um, meant old versions of MySQL...yeah, that's it :-) (Ok, so I need to update my own mental database :)

(mysql doesn't allow subqueries, so you may be safe from that).

Oh, really?

---

My wife's blog

Use placeholders - it's not difficult to do, it avoids various quoting issues, it helps with security, and it usually gives you better performance.

Michael

But in general, I still don't think you can just disregard the threat. Rather, you should be aware of it and know how the modules you use do and do not protect you.

Seriously. If I don't actually have control of your site within minutes, I can at least knock it off the net.

------------
:Wq
Not an editor command: Wq
[download]

Hello folks,

Hey, I think one thing may have made me a little misunderstood on my intentions: Iīve posted the topic originally in the 'questions' section, not in the meditation. But it was moved by the administrator monks to this section, where it appeared as I was 'meditating', when in fact I was just 'asking'.

So perhaps the right title now for this 'meditation' would include a question mark after the "SQL Injection myths under DBI". I will update it as that to make it sound less like I am definately giving some advice on tearing apart all the advices in CGI security we learn all the way from the Lhama book. I really wasnīt. So, I think, as this can have caused justified hot reactions of some of you. Sorry. Hey, tilly, no problem, man.

Having said that, in fact null-byte really screws my idiot-solution (I assume!) of just escaping the single quote. I tested it and doesnīt matter which mess remains at the right side of the query, after the query injection - the null-byte really makes DBI unaware of aesthetics! It executes everything ītill the %00. Detail: if you want to thest this, donīt put the semicolon in the input, finish your evil query (on yourself, for test, weīre the good guys!) with the null-byte, not with semi-colon, otherwise it wonīt work and you will end up like me, saying sql injection is not a problem when it really may be.

Nevertheless, even with this technique, I couldnīt crack myself if the scaping of backslashes was included in the filtering of the input. Iīll go on searching the hacker manuals to see if I can find any way of overcome this, but it really seems as a paradox. If I canīt get a free-single quote to be inside the query, I canīt make the text I manage to input more than a strange string to be not-matched in the query. If you guys know of something, please post it up.

Cheers

André

could we not just delete the single quote(s) and other "bad" characters?

$input =~ s/\'|\"|\@//g;
[download]