LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   cgi/perl and mysql error (https://www.linuxquestions.org/questions/programming-9/cgi-perl-and-mysql-error-704052/)

Wim Sturkenboom 02-11-2009 11:37 PM
cgi/perl and mysql error
 
As stated in another thread, I doing a code audit on a cgi/perl based web application. I'm trying to do an sql injection without much success. I should be happy, but I don't understand why it does not want to work.
Code:
SELECT x,y,z from table1 where sid = '' or 1; delete from table2 where ip='192.168.199.248';#';
The above works in the mysql client.
Code:
print <<EOT;
SELECT x,y,z from table1 where sid = '$sid';
EOT
$sth=$dbh->prepare("SELECT x,y,z from table1 where sid = '$sid';") || die "Prepare failed: $DBI::errstr \n";
$sth->execute() || die "Failed to execute \n";
Running the script gives the below output.
Code:
SELECT x,y,z from table1 where sid = '' or 1; delete from table2 where ip='192.168.199.248';#';
DBD::mysql::st execute failed: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
'; delete from table2 where ip='192.168.199.248';#''
at line 1 at /var/www/cgi-bin/add_amino.wim.cgi line 37.
Failed to execute
Line 37 is the blue line. What confuses me at this stage is that I get a MySQL syntax error as the syntax is correct (as far as I can see).

Any ideas why I get the mysql error?

Note: I don't have experience with perl

datopdog 02-12-2009 03:27 AM
why do you have a hash # at the end of the query ?

Wim Sturkenboom 02-12-2009 04:37 AM
Just to comment out the last single_quote that is generated by the perl code. The first code example was taken from the perl print statement.

j-ray 02-12-2009 06:26 AM
Do I get that wrong or are you trying to execute several sql statements with 1 execute? That's not possible as far as I know. Always 1 by 1, prepare, execute...and without ';'
$sql = "select id,text from mytable";
$sth=$dbh->prepare($sql);
$sth->execute();

Wim Sturkenboom 02-12-2009 09:33 PM
j-ray,

should that not result in a perl error? I get a MySQL error and the mysql client allows me to do multiple statements on one line (the first code example). Maybe the mysql client splits it into two?

One of the pages on the web that I found clearly states that 'it' does what the mysql client does; unfortunately I've visited so many perl pages during this audit that I can not recall which one.

So if it's not possible, then there would be no issue what-so-ever with SQL injection (except for adding the 'or 1' to bypass where clauses). In that case everybody should use perl for web applications. What am I missing.

PS If I remember correctly, I also could not get it right with my own PHP pages.

j-ray 02-13-2009 02:33 AM
DBI is a wrapper that gives access to various db engines. Some of them support multiple statements and others don't.
From dbi pm documentation:
Multiple SQL statements may not be combined in a single statement handle ($sth), although some databases and drivers do support this (notably Sybase and SQL Server).

available here
http://search.cpan.org/~timb/DBI-1.607/DBI.pm

It's the same with PHP and MySQL.

Wim Sturkenboom 02-13-2009 05:50 AM
j-ray,

thanks for the link; at least I don't have to worry about that part anymore.


All times are GMT -5. The time now is 03:27 PM.