ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
As stated in another thread, I doing a code audit on a cgi/perl based web application. I'm trying to do an sql injection without much success. I should be happy, but I don't understand why it does not want to work.
Code:
SELECT x,y,z from table1 where sid = '' or 1; delete from table2 where ip='192.168.199.248';#';
The above works in the mysql client.
Code:
print <<EOT;
SELECT x,y,z from table1 where sid = '$sid';
EOT
$sth=$dbh->prepare("SELECT x,y,z from table1 where sid = '$sid';") || die "Prepare failed: $DBI::errstr \n";
$sth->execute() || die "Failed to execute \n";
Running the script gives the below output.
Code:
SELECT x,y,z from table1 where sid = '' or 1; delete from table2 where ip='192.168.199.248';#';
DBD::mysql::st execute failed: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
'; delete from table2 where ip='192.168.199.248';#''
at line 1 at /var/www/cgi-bin/add_amino.wim.cgi line 37.
Failed to execute
Line 37 is the blue line. What confuses me at this stage is that I get a MySQL syntax error as the syntax is correct (as far as I can see).
Any ideas why I get the mysql error?
Note: I don't have experience with perl
Last edited by Wim Sturkenboom; 02-11-2009 at 11:39 PM.
Do I get that wrong or are you trying to execute several sql statements with 1 execute? That's not possible as far as I know. Always 1 by 1, prepare, execute...and without ';'
$sql = "select id,text from mytable";
$sth=$dbh->prepare($sql);
$sth->execute();
should that not result in a perl error? I get a MySQL error and the mysql client allows me to do multiple statements on one line (the first code example). Maybe the mysql client splits it into two?
One of the pages on the web that I found clearly states that 'it' does what the mysql client does; unfortunately I've visited so many perl pages during this audit that I can not recall which one.
So if it's not possible, then there would be no issue what-so-ever with SQL injection (except for adding the 'or 1' to bypass where clauses). In that case everybody should use perl for web applications. What am I missing.
PS If I remember correctly, I also could not get it right with my own PHP pages.
DBI is a wrapper that gives access to various db engines. Some of them support multiple statements and others don't.
From dbi pm documentation:
Multiple SQL statements may not be combined in a single statement handle ($sth), although some databases and drivers do support this (notably Sybase and SQL Server).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
