Michael Peppler
Sybase Consulting
Sybase on Linux
Install Guide for Sybase on Linux
General Sybase Resources
General Perl Resources
BCP Tool
Bug Tracker
Mailing List Archive
Downloads Directory
Sybase on Linux FAQ
Sybperl FAQ
Michael Peppler's resume

sybperl-l Archive

Up    Prev    Next    

From: "Avis, Ed" <avised at kbcfp dot com>
Subject: RE: Intresting case of SQL Injection
Date: Dec 5 2003 2:28PM

Jenda Krynicky  wrote:

>>    die "bad value $foo" if $foo =~ tr/'//;
>>    $sql = "select * from a where x = '$foo'";

>>in this particular case you can assume that in SQL only another '
>>character can terminate a string quoted with '.

>I'm afraid this depends on the database. I'd expect "\0" to be 
>problematic to some databases as well.

Hmm, looks like you're right.  Both Sybase and Oracle choke on NUL in
the middle of a quoted string.  Unfortunately Sybase also goes wrong
when you use placeholders!

    create table test_nul (a varchar(100) not null)

    my $sth = $dbh->prepare("insert into test_nul (a) values (?)");
    my $r = $dbh->selectall_arrayref(
      'select a, char_length(a) from test_nul'
    foreach (@$r) {
        my ($a, $char_length) = @$_;
        print "got value: '$a' of length, ", length $a,
          ", char_length $char_length\n";

With Sybase 11.9.2, DBI-1.30, DBD::Sybase-0.95, OCS-12.5 this prints

got value: 'x' of length, 1, char_length 1

in other words the column value has been truncated at the NUL byte
when inserting.  Oracle handles the placeholder insert correctly.
Since this is a Sybase-specific bug I'm including sybperl-l and
further discussion can happen there.

Ed Avis