Database Reference
In-Depth Information
• Extra load on the MySQL server
• Out-of-memory problems in your script as it tries to digest the result set received
from MySQL
• Extra network bandwidth consumption as the script sends the results to the client
If your script generates a
DELETE
or
UPDATE
statement, the consequences of this kind of
subversion can be much worse. Your script might issue a statement that empties a table
completely or changes all of its rows, when you intended to permit it to affect at most
a single row.
Try to Break Your Web Scripts
The discussion in this section is phrased in terms of guarding against other users from
attacking your scripts. But it's not a bad idea to put yourself in the place of an attacker
and adopt the mindset, “How can I break this application?” That is, consider whether
you can submit input that it won't handle and that causes it to generate a malformed
statement. If you can cause the application to misbehave, so can other people, either
deliberately or accidentally. Be wary of bad input, and write your applications accord‐
ingly. It's better to be prepared than just hope.
The implication of the preceding discussion is that providing a web interface to your
database opens you up to certain forms of security vulnerabilities. However, you can
prevent these problems by means of a simple precaution that you should already be
following: don't put data values received from external sources literally into statement
strings. Use placeholders or an encoding function instead. For example, handle an input
parameter in Perl using a placeholder:
$sth
=
$dbh
->
prepare
(
"SELECT * FROM mytbl WHERE keyword = ?"
);
$sth
->
execute
(
param
(
"keyword"
));
# ... fetch result set ...
Or by using
quote()
:
$keyword
=
$dbh
->
quote
(
param
(
"keyword"
));
$sth
=
$dbh
->
prepare
(
"SELECT * FROM mytbl WHERE keyword = $keyword"
);
$sth
->
execute
();
# ... fetch result set ...
Either way, if the user enters the subversive value, the statement becomes harmless:
SELECT
*
FROM
mytbl
WHERE
keyword
=
'eggplant\'
OR
\
'x\'
=
\
'x'
As a result, the statement matches no rows rather than all rows—definitely a more
suitable response to someone who's trying to break your script.
