Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Ovid (2709)

Ovid
  (email not shown publicly)
http://publius-ovidius.livejournal.com/
AOL IM: ovidperl (Add Buddy, Send Message)

Stuff with the Perl Foundation. A couple of patches in the Perl core. A few CPAN modules. That about sums it up.

Journal of Ovid (2709)

Monday August 20, 2007
08:11 AM

Finding SQL Injection Attacks with 'ack'

[ #34160 ]

We are evaluating a third party application. I just ran the following command:

$ ack -i '\b(?:select|update|insert|delete)\b.*\$'  \
   --php include |wc -l
307

A cursory scan indicates that many of those results are, in fact, very dodgy SQL embedding variables directly in SQL rather than using placeholders. Hmm, how many files is that?

$ ack -il '\b(?:select|update|insert|delete)\b.*\$'  \
   --php include |wc -l
92

Needless to say, I don't feel terribly comfortable with this application, but I love ack. This isn't the final nail in the coffin for this application as it's possible that all of these variables are well-sanitized, by for crying out loud, use your frickin' placeholders in SQL! Of course, with 92 potentially vulnerable files, trying to verify that everything is safe seems more trouble than it's worth.

Update: we're not going to use this software. Using this as a starting point, we started digging into the code. One of the final nails was this bit of code (munged to hide the identify of the folks we'll be contacting):

function createInsertForSQL($columns) {
    $values = '';

    foreach ( $columns as $column ) {
        if ( $values != '' ) {
            $values .= ', ';
        }
        $values .= $column;
    }
    return $values;
}

I see at least two bugs there, both of which could be very serious.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • There's something to having real honest-to-Larry Perl regexes, isn't there? You could also use -o to output the regexes that match, if you want, so you could have it spew the offending code.
    --

    --
    xoa

  • I love ack too but I still like the idea of a grep replacement that understands Perl. Are you going to continue with pgrep (or whatever, I like 'grepl')? Or perhaps it could be an optional add-on for ack?
    • I will continue working on it. I do like the grepl name. And a cursory Google search show that it appears to be available :)

      As for working with ack. you'd have to talk to Andy about that. I've made it pretty extensible, but it's really his call if he wants to find a way to integrate it.

      • I'm hoping you change pgrep's name to ppgrep or ppigrep because pgrep is already taken by the grep from the "unix tools in perl" project and that's got several years of precedence.
        • Hated ppgrep and ppigrep won't make much sense if I ever update this for Perl 6 (which I would love to do, years from now). However, grepl (grep + pl) has been suggested and I love it. It makes perfect sense.