Hacker News new | past | comments | ask | show | jobs | submit login

I think

    $sth = $dbh->prepare("SELECT document FROM table WHERE tag=? AND security_level=?");
    $sth->execute(foo(), $user_level);
breaks as well, if foo() unexpectedly returns a list.



The following won't break (at least not in the bad way), I don't think:

    $sth = $dbh->prepare("SELECT document FROM table WHERE tag=? AND security_level=?");

    $sth->bind_param(1,foo());

    $sth->bind_param(2, $user_level);

    $sth->execute();


Indeed it looks like it can, but this is still a non-issue if you understand context (a key feature of Perl) and know what foo does


Breaks as in "SQL injection is possible" or breaks as in "invalid number of parameters"?


If the list contains 2 elements, it will overwrite the second parameter, so the total number of arguments is still the same.


Ah yes, but that's a slightly different feature to the one demonstrated by the author (https://www.youtube.com/watch?feature=player_detailpage&v=gw...). However that's not to say that the vulnerability you raised isn't also a serious one developers need to be mindful of.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: