cgi/perl and mysql error
As stated in another thread, I doing a code audit on a cgi/perl based web application. I'm trying to do an sql injection without much success. I should be happy, but I don't understand why it does not want to work.
Code:
SELECT x,y,z from table1 where sid = '' or 1; delete from table2 where ip='192.168.199.248';#'; Code:
print <<EOT; Code:
SELECT x,y,z from table1 where sid = '' or 1; delete from table2 where ip='192.168.199.248';#'; Any ideas why I get the mysql error? Note: I don't have experience with perl |
why do you have a hash # at the end of the query ?
|
Just to comment out the last single_quote that is generated by the perl code. The first code example was taken from the perl print statement.
|
Do I get that wrong or are you trying to execute several sql statements with 1 execute? That's not possible as far as I know. Always 1 by 1, prepare, execute...and without ';'
$sql = "select id,text from mytable"; $sth=$dbh->prepare($sql); $sth->execute(); |
j-ray,
should that not result in a perl error? I get a MySQL error and the mysql client allows me to do multiple statements on one line (the first code example). Maybe the mysql client splits it into two? One of the pages on the web that I found clearly states that 'it' does what the mysql client does; unfortunately I've visited so many perl pages during this audit that I can not recall which one. So if it's not possible, then there would be no issue what-so-ever with SQL injection (except for adding the 'or 1' to bypass where clauses). In that case everybody should use perl for web applications. What am I missing. PS If I remember correctly, I also could not get it right with my own PHP pages. |
DBI is a wrapper that gives access to various db engines. Some of them support multiple statements and others don't.
From dbi pm documentation: Multiple SQL statements may not be combined in a single statement handle ($sth), although some databases and drivers do support this (notably Sybase and SQL Server). available here http://search.cpan.org/~timb/DBI-1.607/DBI.pm It's the same with PHP and MySQL. |
j-ray,
thanks for the link; at least I don't have to worry about that part anymore. |
All times are GMT -5. The time now is 03:27 PM. |