The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.
 / 
Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection-1.0.0
River stage one • 1 direct dependent • 1 total dependent
3 ++
/ Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection

NAME

Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection - Prevent SQL injection in interpolated strings.

VERSION

Version 1.0.0

AFFILIATION

This is a standalone policy not part of a larger PerlCritic Policies group.

DESCRIPTION

When building SQL statements manually instead of using an ORM, any input must be quoted or passed using placeholders to prevent the introduction of SQL injection vectors. This policy attempts to detect the most common sources of SQL injection in manually crafted SQL statements, by detecting the use of variables inside interpolated strings that look like SQL statements.

In other words, this policy searches for code such as:

        my $sql = "SELECT * FROM $table WHERE field = $value";

But would leave alone:

        my $string = "Hello $world";

CONFIGURATION

There is no configuration option available for this policy.

MARKING VARIABLES AS SAFE

You can disable this policy on a particular string with the usual PerlCritic syntax:

        my $sql = "SELECT * FROM table WHERE field = $value"; ## no critic (PreventSQLInjection)

This is however not recommended, even if you know that $value is safe because it was previously quoted with something such as:

        my $value = $dbh->quote( $user_value );

The risk there is that someone will later modify your code and introduce unsafe variables by accident, which will then not get reported. To prevent this, this module has a special ## SQL safe ($var1, $var2, ...) syntax which allows whitelisting specific variables:

        my $sql = "SELECT * FROM table WHERE field = $value"; ## SQL safe($value)

That said, you should always convert your code to use placeholders instead where possible.

LIMITATIONS

There are many sources of SQL injection flaws, and this module comes with no guarantee whatsoever. It focuses on the most obvious flaws, but you should still learn more about SQL injection techniques to manually detect more advanced issues.

Possible future improvements for this module:

  • Detect concatenation

    Currently, this module only analyzes whole strings, and ignores concatenated strings or variables. For example, this would incorrectly not trigger a violation:

            my $sql = 'SELECT * FROM ' . $table;

  • Detect use of sprintf()

    This should probably be considered a violation:

            my $sql = sprintf(
                'SELECT * FROM %s',
                $table
        );

  • Parse heredoc

    This module does not analyze heredoc, but should since it interpolates variables by default.

FUNCTIONS

supported_parameters()

Return an array with information about the parameters supported.

        my @supported_parameters = $policy->supported_parameters();

default_severity()

Return the default severify for this policy.

        my $default_severity = $policy->default_severity();

default_themes()

Return the default themes this policy is included in.

        my $default_themes = $policy->default_themes();

applies_to()

Return the class of elements this policy applies to.

        my $class = $policy->applies_to();

violates()

Check an element for violations against this policy.

        my $policy->violates(
                $element,
                $document,
        );

extract_variables()

Extract variable names from a string.

        my $variables = extract_variables( $string );

get_safe_variables()

Return a hashref with safe variable names as the keys.

        my $safe_variables = get_safe_variables(
                $self,
                $line_number,
        );

parse_comments()

Parse the comments for the current document and identify variables marked as SQL safe.

        parse_comments(
                $self,
                $ppi_document,
        );

BUGS

Please report any bugs or feature requests through the web interface at https://github.com/guillaumeaubert/Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection/issues. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

        perldoc Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection

You can also look for information at:

AUTHOR

Guillaume Aubert, <aubertg at cpan.org>.

COPYRIGHT & LICENSE

Copyright 2013 Guillaume Aubert.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License version 3 as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/