Comments for Perl Hacks

Comment on Fedora and Centos CPAN RPMs by Delicious Bookmarks for January 16th from 02:47 to 11:32 « Lâmôlabs

Delicious Bookmarks for January 16th from 02:47 to 11:32 « Lâmôlabs — Mon, 16 Jan 2012 17:03:44 +0000

Comment on Public Training Courses in February by Free Training Competition in Linux Format | Perl Hacks

Free Training Competition in Linux Format | Perl Hacks — Fri, 06 Jan 2012 15:03:26 +0000

[...] Training Competition in Linux Format I’ve mentioned before that I’m running some public training courses in London next month. But how do you fancy [...]

Comment on Modern Core Perl by Dave Cross

Dave Cross — Thu, 05 Jan 2012 07:00:17 +0000

I think you’re probably looking for Perl Vogue

Comment on Modern Core Perl by my name

my name — Wed, 04 Jan 2012 23:03:21 +0000

“To many people Modern Perl means big CPAN modules like Moose, DBIx::Class and Catalyst.”

To me, at least, capital-m-modern Perl is about a bunch of pathetic self-promoters trying to sell their books, courses, etc. Perl used to be about getting a job done; “Modern” Perl is a fashion show.

Comment on Programming Like It’s 1999 by Name

Name — Mon, 19 Dec 2011 02:30:08 +0000

Bobby Tables! I don’t even have to click the link

Comment on Programming Like It’s 1999 by Ed Avis

Ed Avis — Thu, 24 Nov 2011 19:59:41 +0000

Zefram gave an example of a case that your code misses. The point is that by ‘enumerating badness’, you make sure that if you’ve overlooked something it will be a vulnerability. Better to fail safe by rejecting anything not in a list of characters you know to be okay. Both solutions (yours and mine) need extending to handle additional characters: yours does not handle backslash correctly, and mine doesn’t do accented characters. But the consequences of that omission are different. You need to write the test so that even if you have missed something out (which will inevitably happen), it won’t leave you with SQL injection bugs. Losing some accented characters is a much more benign failure mode IMHO.

Comment on Programming Like It’s 1999 by Dave Cross

Dave Cross — Thu, 24 Nov 2011 14:20:04 +0000

Good idea. See here.

Comment on Programming Like It’s 1999 by Alex

Alex — Thu, 24 Nov 2011 14:12:05 +0000

This is a good example for newbies how things should happen in modern perl. I am going to show it to my students. But can you make a copy of original script, because it can dissappear.

Comment on Programming Like It’s 1999 by Toby Inkster

Toby Inkster — Wed, 23 Nov 2011 17:07:08 +0000

The SQL standard way of escaping single quotes is not to backslash them, but to double them up. That is:

s{‘}{”}g

Of course, many SQL databases support backslash escaping instead of or as well as the SQL standard method.

Comment on Programming Like It’s 1999 by Zefram

Zefram — Wed, 23 Nov 2011 12:05:02 +0000

Your single-quote escaping is *not* sufficient to avoid SQL injection. Most obviously, backslashes also need to be escaped. Specific exploit: I give you the string q{\');drop database imdb;-- }. You escape the single quote yielding q{\\');drop database imdb;-- }, and then stick it into quotes yielding q{insert into movie (...) values ('\\');drop database imdb;-- ', ...);}. The q{'\\'} parses as a complete string literal, representing a string containing a single backslash. You lose.

The right way to embed data in SQL is to have a function whose input is a data object (in whatever form you’re dealing with in Perl space) and whose output is a string of SQL source constituting an expression that will evaluate to the in-database representation of the same data. If you’re dealing with a string (or anything that you represent as a string in SQL space) then you’d expect that output expression to be in the form of an SQL string literal. The concept generalises to all SQL data types, including ones that don’t have a literal syntax, and to all types of object that you deal with in Perl space.

Here’s the specific logic that I developed at $ork to represent a Perl octet string as an SQL octet string:

my %char_escape = ( "\0" => "\\0", "'" => "\\'", "\\" => "\\\\" );
sub sql_octetstring($) {
    my($value) = @_;
    die "not an octet string"
      unless Params::Classify::is_string($value)
      && $value =~ /\A[\x00-\xff]*\z/;
    $value =~ s(([\0\'\\]))($char_escape{$1})eg;
    return "'$value'";
}

This is specifically for MySQL; you need to experiment to write the correct equivalent for your particular database. Also, obviously, if you’re dealing with general Unicode then you’ll need an encoding layer on top of this.

You use it like “where title=@{[sql_octetstring($title)]}” or “values (@{[join(q(, ), map { sql_octetstring($film{$_}) } @fields)]})“. The babycart operator is brilliant for this sort of thing, because it gives you all the right cues about the nesting that is logically occurring.