Re: is this mentality safe?

"As long as I taint and use placeholders with DBI, theres no way they'll ever be a SQL injection through this web app"

Tainting helps, but won't solve the problem, because it's always possible to untaint poorly (e.g., if you black list unacceptable patterns, instead of white listing the acceptable ones).

Do you think that placeholders, by themselves, entirelly solve the problem of SQL injections? That's the question.

Comment on Re: is this mentality safe?

Replies are listed 'Best First'.
Re^2: is this mentality safe? by clinton (Priest) on May 18, 2007 at 11:04 UTC
I stand under correction, but I would say yes. The reason being that everything in a placeholder goes via `$dbh->quote()`, so unless there is a bug in the quoting code, it should be fine. Also, DBI runs only one command at a time, so sticking two commands in there (as is usually done with SQL injections), shouldn't succeed. YMMV clint	[reply] [d/l]
Re^3: is this mentality safe? by Anonymous Monk on May 19, 2007 at 02:44 UTC
Yes, the DBI documentation says that only one command should be run at a time. That is more of a recommendation of how the DBI is intended to be used. It is not necessarily descriptive of what will be accepted. Whether multiple commands are accepted is up to the individual drivers and databases: In ODBC terms, the DBI is in "pass-thru" mode, although individual drivers might not be. - The DBI documentation I have seen DBD::Mysql and DBD::Sybase accept multiple commands at a time. I don't know about other drivers. But, as you say, unless there's a bug in the quoting code, placeholders are quite safe. They won't necessarily prevent you from running multiple commands at once, but they will prevent user-supplied data from being interpreted as SQL commands.	[reply]
Re^2: is this mentality safe? by Errto (Vicar) on May 18, 2007 at 21:13 UTC
If you never include user-supplied data directly in a SQL statement passed to DBI, then yes, you have entirely solved the problem of SQL injection. Placeholders are the tool that lets you do that.	[reply]