protect against sql injection when the sql is being transmitted via XML

Question

This Raw SQL WSI API appears very powerful, but it also appears to be the only way to accomplish retrieving the id's of entities I need. I need to be able to, retrieve manufacturer by name for example (debating on whether there's a better way). On the assumption the best way is to send a query like this

'SELECT ManufactuerGUID FROM Manufacturer WHERE Name = ' . "$name"

which is a really bad idea and I hate myself for even writing that... but I'm not sure how best to sanitize it. usually the parameterization is done via the sql driver (AFAIK), the only thing I can think of... is could I perhaps get the final SQL string back from DBD::ODBC? Other suggestions welcome. Perhaps there is a sanitization library I could use?

To clarify, I have no actual control over ASP.net Storefront's API. the Manufacturer Name is the only parameter that comes from human input so I shouldn't have to worry about how I code the rest of it. Yes this API is an incredibly stupid idea, and it'd be great if they had given me a way to parameterize the query.

Answer 1

I found this documentation which suggests there is a QueryParams option.

<query name="Entities" rowElementName="Entity"> 
<sql> 
 <![CDATA[ 
  select Name,Description from {EntityName} with (NOLOCK) where {EntityName}ID=@EntityID 
]]> 
</sql> 
<querystringreplace replaceTag="{EntityName}" 
    replacetype="runtime" 
    replaceparamname="EntityName" 
    defvalue="" 
    validationpattern="(category)|(section)|(affiliate)|(manufacturer)|(distributor)|(library)" /> 
<queryparam paramname="@EntityID" 
    paramtype="runtime" 
    requestparamname="EntityID" 
    sqlDataType="int" 
    defvalue="0" 
    validationpattern="" /> 
</query> 

I believe this is sufficient to prevent sql injection (though it'd be nice to have someone that knows the product confirm). Why this isn't mentioned at all in the main SQL interface documentation I'll never understand.

Answer 2

DBI provides a quote method. It's probably best to use this method with a real connection to the targetted database, but if cannot do this, you can also use the NullP driver instead.

use DBI;
my $dbh = DBI->connect("dbi:NullP:");
my $quoted_name = $dbh->quote($name);

Note that the result of quote already has single or double quotes around it, so you don't have to write them yourself.

Answer 3

Maybe you have a table called ManufactuerGUID and you could so easily code CRUDS to that.... Outside of that you are asking the best way to make a bad situation better...How about Using SqlParameters for your output and the parsing will still reject bad things.