lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: pdt at jackhammer.org (Paul Tinsley)
Subject: Question: is this exploitable?

"Escaping quote characters might work OK in MySQL, but it is at best 
only a database-dependent solution."
Nobody said anything about simply quoting a string, if you read the 
description I posted of quote, it does more than that.  The function 
that we are talking about IS part of DBI, not some crazy cooked up thing 
that was written just for MySQL.  I never quoted the DBD::mysql 
documentation, all of that came directly from DBI.  If the driver writer 
implements all the calls DBI documents that are available, this should 
work fine.  If not, it's a problem with the driver, not with the user.

"You'd have to write an entirely different mechanism to untaint data 
bound for Oracle...and another one for other different database 
implementations."
That is DBD's job...

"For one, they keep you in a database-independent environment (which 
makes sense, since you're using DBI)."
Good thing he was suggesting to use part of DBI.

As for which is the better of the two ways, there was no argument 
there.  I was simply answering your question as to how it protected from 
SQL injection.

Thanks,
   Paul Tinsley

P.S. - If you wish to further debate it, I suggest we take it off list, 
we have definitely gone off topic at this point.

Jonathan A. Zdziarski wrote:

>Escaping quote characters might work OK in MySQL, but it is at best only
>a database-dependent solution.  Take a look at Oracle, instead of
>double-quotes, single-quotes are used.  And instead of being escaped,
>they are simply doubled (e.g. ' becomes '').  You'd have to write an
>entirely different mechanism to untaint data bound for Oracle...and
>another one for other different database implementations.
>
>This is why placeholders are a better solution.  For one, they keep you
>in a database-independent environment (which makes sense, since you're
>using DBI).  For another, they insure you don't have to worry about
>accidentally missing the escaping of some data.
>
>On Sat, 2003-10-18 at 22:36, Paul Tinsley wrote:
>  
>
>>I don't believe this is a true statement.
>>    
>>
>
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ