On Sun, 2 Oct 2011 00:07:34 +0300 "Octavian Rasnita" <orasn...@gmail.com> wrote:
> Hi, > > Does anyone have some suggestions for what restrictions should be used on a > site to be secure? > Do you know some sites where I can get information about this subject? > Most of the text I read said that the variables should be filtered before > inserting them in DB, but never gave details for what should be filtered. > Well, the SQL injections that you mention are one vector of attack against web-sites, but are not the only one. See: * http://shlomif-tech.livejournal.com/35301.html - my post about Code/Markup injection and its prevention. * http://en.wikipedia.org/wiki/Cross-site_scripting * http://en.wikipedia.org/wiki/Cross-site_request_forgery > I know a lot of theory but without practical examples. > > Is it enough to use binding parameters in DBI for avoiding SQL injections? I > mean, if I always use binding parameters, it is OK if I don't use any other > kind of filtering? If it is not enough, what kind of SQL code can still > damage the DB? By binding parameters, you probably mean placeholders and that should be enough in most cases (assuming you are careful enough): http://bobby-tables.com/ One possible vector of problem is the SQL “LIKE” operator where people can inject "%" in. > > And if I need to filter, what kind of filter I need to apply? > You don't need to filter if you're using placeholders. > I know that the code will be secure if I will allow only A-Za-z0-9 and > spaces, but in some form fields I need to allow every character. If there are > some well defined types of SQL injection codes, are there some patterns that > can be used for filtering? Just use placeholders. Regards, Shlomi Fish > > Thanks. > > Octavian > > -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ "Humanity" - Parody of Modern Life - http://shlom.in/humanity When Chuck Norris uses git, he takes a coffee break after initiating every git commit. And then he waits for the commit to finish. Please reply to list if it's a mailing list post - http://shlom.in/reply . -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
