sybperl-l Archive

From: "Avis, Ed" <avised at kbcfp dot com>
Subject: RE: Intresting case of SQL Injection
Date: Dec 5 2003 2:28PM

Jenda Krynicky  wrote:

>>    die "bad value $foo" if $foo =~ tr/'//;
>>    $sql = "select * from a where x = '$foo'";

>>in this particular case you can assume that in SQL only another '
>>character can terminate a string quoted with '.

>I'm afraid this depends on the database. I'd expect "\0" to be 
>problematic to some databases as well.

Hmm, looks like you're right.  Both Sybase and Oracle choke on NUL in
the middle of a quoted string.  Unfortunately Sybase also goes wrong
when you use placeholders!

    create table test_nul (a varchar(100) not null)

    my $sth = $dbh->prepare("insert into test_nul (a) values (?)");
    $sth->execute("x\0y");
    my $r = $dbh->selectall_arrayref(
      'select a, char_length(a) from test_nul'
    );
    foreach (@$r) {
        my ($a, $char_length) = @$_;
        print "got value: '$a' of length, ", length $a,
          ", char_length $char_length\n";
    }

With Sybase 11.9.2, DBI-1.30, DBD::Sybase-0.95, OCS-12.5 this prints

got value: 'x' of length, 1, char_length 1

in other words the column value has been truncated at the NUL byte
when inserting.  Oracle handles the placeholder insert correctly.
Since this is a Sybase-specific bug I'm including sybperl-l and
further discussion can happen there.

-- 
Ed Avis