sybperl-l Archive

From: Michael Peppler <mpeppler at peppler dot org>
Subject: RE: Intresting case of SQL Injection
Date: Dec 5 2003 4:00PM

On Fri, 2003-12-05 at 06:28, Avis, Ed wrote:
> Jenda Krynicky  wrote:
> 
> >>    die "bad value $foo" if $foo =~ tr/'//;
> >>    $sql = "select * from a where x = '$foo'";
> 
> >>in this particular case you can assume that in SQL only another '
> >>character can terminate a string quoted with '.
> 
> >I'm afraid this depends on the database. I'd expect "\0" to be 
> >problematic to some databases as well.
> 
> Hmm, looks like you're right.  Both Sybase and Oracle choke on NUL in
> the middle of a quoted string.  Unfortunately Sybase also goes wrong
> when you use placeholders!

>From the DBD::Sybase code (around line 3560 in dbdimp.c):

	  default:
	    phs->datafmt.datatype = CS_CHAR_TYPE;
	    value = phs->sv_buf;
	    value_len = CS_NULLTERM; /*Allow embeded NUL bytes in strings?*/
	    /* PR/446: should an empty string cause a NULL, or not? */
	    if(*(char*)value == 0) {
		if(imp_dbh->bindEmptyStringNull) {
		    value = NULL;
		    value_len = CS_UNUSED;
		} else {
		    value = " ";
		}
	    }
	    break;

As you can see the value_len is set the CS_NULLTERM, which tells
Sybase/OpenClient that the string is null-terminated.

As the comment suggests, this is probably/possibly a bug, although it
hasn't come up before as an issue.

Michael
-- 
Michael Peppler                              Data Migrations, Inc.
mpeppler@peppler.org                 http://www.mbay.net/~mpeppler
Sybase T-SQL/OpenClient/OpenServer/C/Perl developer available for short or 
long term contract positions - http://www.mbay.net/~mpeppler/resume.html