SQLインジェクション対策について
教育的な観点ではなく実務的な観点から、僕の考えをまとめてみる。UTF-8 を利用し、SET NAMES を利用していなくて mysql で、クライアントプリペアドステートメントなケースを想定している。
$foo=$_POST[‘id’];
query(“SELECT * FROM foo WHERE id=$foo”);
のように外部からの文字列をそのまま使用してクエリを組みたてたときに、意図せぬ SQL を発行されてしまう脆弱性のことである。
Tokuhiro Matsuno tokuhirom
💖
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use strict; | |
| use warnings; | |
| use Test::More; | |
| ok(!eval { require Moose; 1; }, 'no Moose'); | |
| ok(!eval { require DateTime; 1; }, 'no DateTime'); | |
| ok(!eval { require Devel::StackTrace::WithLexicals; 1; }, 'no Devel::StackTrace::WithLexicals'); | |
| done_testing; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| e() { cd $(repos-list --null | peco --null) } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env perl | |
| use strict; | |
| use warnings; | |
| use Time::Piece; | |
| use Pod::Usage; | |
| &main; exit; | |
| sub show($) { | |
| my $time = shift; |
tokuhirom
/ gist:11172693
Created
April 22, 2014 10:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sub Member::get_ad($self, $id) { | |
| my $ad = $self->db->find->ad($id) or throw NotFoundException->throw; | |
| if ($ad->member_id eq $self->id) { | |
| return $ad; | |
| } else { | |
| return SecurityException->throw(); # ここはもう | |
| } | |
| } | |
| sub Controller::dispatch_update_ad($c) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package Devel::MemProfile; | |
| use strict; | |
| use warnings; | |
| use utf8; | |
| use 5.010_001; | |
| use Devel::Symdump; | |
| use B::Size2::Terse; | |
| sub new { | |
| my $class = shift; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env perl | |
| use strict; | |
| use warnings; | |
| use utf8; | |
| use 5.010000; | |
| use autodie; | |
| package URI::Lite { | |
| use Class::Accessor::Lite 0.05 ( | |
| rw => [qw(scheme user password host port path query)], |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| package HTTP::Body::JSON; | |
| use JSON::XS; | |
| use parent qw(HTTP::Body); | |
| use HTTP::Body; | |
| use Encode qw(encode_utf8); | |
| $HTTP::Body::TYPES->{'application/json'} = __PACKAGE__; | |
| sub spin { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://hachiojipm.github.io/entry/2013-10-04-warn-die-hack.html | |
| STDERR をキャプチャする hack は hack っぽいし、よいとして。。 | |
| my $version = try { ## ここのコードがhackishでよくわからん!!! | |
| open my $fh, '>', \my $stderr; | |
| local *STDERR = $fh; | |
| $self->database_version; | |
| close $fh; | |
| }; |