I am reviewing a Linux based perl web application that contains a login handler with the ubiquitous

my $sth = $DB->prepare(“SELECT password from passwords where userid=’$userid'”) or die; $sth->execute or die; …

where $userid is initialized from (unsafe, unfiltered) web user input.

It is well known that the DBI documentation recommends that this code should be changed to use the placeholder “?” in place of ‘$userid’ for security.

This code was isolated on an off network box, as-is, for the purpose of a security review. Code like this on an internet server will eventually be cracked as there are bots now that scan for this vulnerability. The access control is also ineffective for protecting anything important because known injections can delete databases, insert bad data or new users, or bypass the access control to allow entry to the web application.

As the application can be configured to use either PostgreSQL or MySQL and questions were raised about comparative vulnerability I tried out both databases and tested each configuration with some SQL injection attempts.

Under PostgreSQL an input of ‘; do bad stuff here; and here; would crash the login cgi as expected and execute the bad stuff.

What was unexpected was that MySQL resisted this attack. This got me to wonder if there was a setting of some sort for DBD::MySQL or elsewhere that limited prepare to 1 statement per call, or was MySQL resistant in some other way.

As I understand it MySQL is not SQL-injection resistant in general.

This is not a question purely about techniques for eliminating SQL injection; for that perhaps see How can I avoid SQL injection attacks?.

The question is: Is MySQL somehow more resistant than PostgreSQL to SQL injection attack under the PERL DBI and why might this be the case?