[Tutor] Paramstyle/sql injection [was Python CGI Script]
Danny Yoo
dyoo at hkn.eecs.berkeley.edu
Thu Sep 21 04:06:58 CEST 2006
> Was talking to my partner about this. He's a perl programmer, and he
> told me that (if I understood him correctly) that the programmer is
> required by perl to use the 'prepare' function in the perl DBI prior to
> sending a select statement.
Hi Tim,
Yes. That being said, Perl's prepare() statement is no guarantee to safe
code. It leaves one to face interpolation temptation:
## Perl
my $sth = $dbh->prepare("delete from some_table where
name='$field_value'");
$sth->execute();
is just as dangerous as:
## Python
cursor = conn.cursor()
cursor.execute("delete from some_table where name = '%s'" %
field_value)
The lesson is that, in the absence of some automated lint-like tool
support that can tell us "no you silly, don't do that", we humans are
going to have to pick up the slack. We can write bad code in pretty much
any language. Programmer education is something we need to do until then.
Most of the developer communities around these languages have been around
long enough to understand this common risk of SQL injection. In summary:
if we're going to work with databases, we should use prepared statements
unless we have a very good reason not to.
More information about the Tutor
mailing list