Sql malware injection protection

Question

Sql malware injection protection

I have a bunch of perl CGIs that take parameters and use their values in various mySql DBI queries.

Is there a way that an attacker can harm (or steal data) from my system if I do not allow any user-defined values containing words that select, insert, delete or update for use as parameters and as long as I wrap all user-supplied varchar values in single quotes?

I understand that this question is very similar to others, but others seem to point to various PHP solutions, and I am not using PHP, so please forgive the redundancy or point me to a related question that answers this specific question.

+3

security sql mysql perl

Genia S. Jun 16 '11 at 20:07

source share

2 answers

Use parameterized queries. Then user input is not part of the command at all, which is the only reliable way to know that the command will not be changed.

+4

catfood Jun 16 '11 at 20:18

source share

friedo · Accepted Answer · 2011-06-16T20:26:52+0000

The correct way to use this in Perl is to use placeholders in all your SQL queries. Passing data provided by the user through DBI placeholders ensures that everything is correctly quoted. (This does not guarantee that it is protected, of course, but it will prevent SQL injection.)

Sql malware injection protection

More articles: