the-web-application-hackers-handbook

738 Chapter 19 n Finding Vulnerabilities in Source Code
placeholders and set their values in a secure and type-safe way. If used as
intended, this mechanism is not vulnerable to SQL injection. For example:
my $username = “admin’ or 1=1--”;
my $password = “foo”;
my $sql = $db_connection->prepare(“SELECT * FROM users
WHERE username = ? AND password = ?”);
$sql->execute($username, $password);
results in a query that is equivalent to the following:
SELECT * FROM users WHERE username = ‘admin’’ or 1=1--’
AND password = ‘foo’
Dynamic Code Execution
eval can be used to dynamically execute a string containing Perl code. The
semicolon delimiter can be used to batch multiple statements. If user-controllable
data is passed into this function, the application is probably vulnerable to script
injection.
OS Command Execution
The following functions can be used to execute operating system commands:
n system
n exec
n qx
n The backtick operator (`)
In all these cases, commands can be chained together using the | character.
If user-controllable data is passed unfiltered into any of these functions, the
application is probably vulnerable to arbitrary command execution.
URL Redirection
The redirect function, which is a member of the CGI query object, takes a
string containing a relative or absolute URL, to which the user is redirected. If
the value of this string is user-controllable, the application is probably vulnerable
to a phishing vector.