On 2009-08-16, Lusotec <nomail@xxxxxxxxxx> wrote:
> Roy Schestowitz wrote:
>> Lusotec wrote:
>>> Some SQL DB servers provide things like stored procedures and
>>> parametrized queries that allow the developers to avoid SQL injections
>>> vulnerabilities but these have to be *correctly* used by the developer to
>>> have any positive effect.
>>
>> Will these stored procedures permit an intruder to gain control over the
>> system?
>
> Stored procedures (SP) are SQL queries defined and stored in the server that
> can be called with a function call like syntax. SP are somewhat safer than
> direct SQL but if incorrectly used can be just as abused as direct SQL.
>
> Can a SQL injection be used to gain system control? Directly no, unless
> there is some serious bug in the DB server, but it can be a stepping stone
> to gain access to the system through a crappy script.
This is where "parameterised queries" come into play. Using a standard
Perl SQL DBI interface you can prepare a query for execution and then
allow for parameters to be inserted from user input. Parameters are
rejected if they don't match the type required by the prepared query.
This is the safest way of entering user generated content into
databases. You don't have to worry about stray semicolons, brackets,
braces, escape characters or quotes being inserted into your SQL
queries.
--
Regards,
Gregory.
Gentoo Linux - Penguin Power
|
|
