Skip site navigation (1) Skip section navigation (2)

Re: postgreSQL web form; Security

From: "Adrian Tineo" <adriantineo(at)softhome(dot)net>
To: pgsql-php(at)postgresql(dot)org, "Davi Leal" <davileal(at)terra(dot)es>
Subject: Re: postgreSQL web form; Security
Date: 2003-07-19 08:53:04
Message-ID: 001d01c34dd3$2fdf08d0$926bd9d9@clairvo (view raw or flat)
Thread:
Lists: pgsql-php
> How can we avoid this security risk using PHP & postgreSQL?.

Every system has its security caveats. But that doesn't mean it can't be
taken care of. Check this link for some important security issues regarding
PHP and SQL.
http://forums.devshed.com/t20525/s7cec8677087e43c40ce670ad005d327c.html
http://es2.php.net/manual/en/security.database.php

What I do is verify all user input ($_GET and $_POST array) and not allow
certain characters, most importantly ";". If they can't put a ";" they can't
close a query and they can't do SQL injection.

That is if you want to build the security wall at the application level. For
extra security or for security at DB level you could connect as a previously
created user with only read-access permission. Although at some point you
might need to insert/delete stuff, you can use the read-only user while you
don't need to write. A lot of times you have some public pages that
everybody can access that don't need write permission. Then you can have
other password-protected pages intended only for admins or people you trust
that need write/delete so the security risk would be lower.

Hope that helps.

Adrian Tineo



In response to

Responses

pgsql-php by date

Next:From: Michelle KonzackDate: 2003-07-19 11:06:32
Subject: Re: postgreSQL web form; Security
Previous:From: Rod TaylorDate: 2003-07-19 02:16:25
Subject: Re: postgreSQL web form; Security

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group