Re: Preventing SQL injection attacks: are -T and placeholders not enough?

I don't know what database system you are using. However, I would nearly always suggest holding your SQL within a stored procedure held within the database. The stored procedure will not execute unless the variables meet the data types set in the stored procedure. It has other potential added security benefits also.

Incidentally, I have not heard about -T for taint checking. I'll do some research on that - sounds interesting.

Update : I don't use taint checking because I don't use CGI. I have an interface layer that processed requests that come in, in the form of flat files. These flat files are checked for malicious looking requests. I place conditions that the requests have to meet and I actively look for malicious looking requests. Both positive and negative screening, if you like. That might be another approach.

Comment on Re: Preventing SQL injection attacks: are -T and placeholders not enough?

Replies are listed 'Best First'.
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough? by marto (Cardinal) on Jan 09, 2008 at 10:17 UTC
"Incidentally, I have never heard of using -T for taint checking. What is that about?" Firstly, I am not sure how many times I have told you this, if you are going to update a post, it is better indicate in the post what you have changed. So to answer your original question, taint checking is well documented, has been discussed in many articles, it is covered in relevant tutorials and super search returns many hits. So once again, reading the documentation should answer your question. Update: Adding Wins unedited post as suggested by bart: − <node id="661296" title="Re: Preventing SQL injection attacks: are + -T and placeholders not enough?" created="2008-01-09 04:55:06" updat +ed="2008-01-09 04:55:06"> <type id="11"> note</type> <author id="304479"> Win</author> − <data> − <field name="doctext"> I don't know what database system you are using. However, I would nea +rly always recommend holding your SQL within a stored procedure held +within the database. The stored procedure will not execute unless th +e variables meet the data types set in the stored procedure. It has +other added benefits potentially. <br><br> Incidentally, I have never heard of using -T for taint checking. What + is that about? </field> <field name="root_node"> 661249</field> <field name="parent_node"> 661249</field> </data> </node> [download] Martin	[reply] [d/l]
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough? by naikonta (Curate) on Jan 10, 2008 at 04:39 UTC
I don't use taint checking because I don't use CGI Tainted data comes from just every input in any environment your programs run but CGI is indeed a kind of wild one compared to locally run programs. However, even you could damage your own system with innocent-looking inputs to your non-CGI programs. Using -T depends on how much security consideration you (should) put on your programs. Read perlsec for more information and mind opening. Open source softwares? Share and enjoy. Make profit from them if you can. Yet, share and enjoy!	[reply]
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough? by jplindstrom (Monsignor) on Jan 10, 2008 at 14:04 UTC
And how do you call the stored procedure and provide parameter values? Not by interpolating strings in the SQL I hope. If you don't use string interpolation, I guess you use placeholders, and we're back to the advice: always use placeholders. The use of SPs are orthogonal to that issue. /J	[reply]