| From: | Geoff Caplan <geoff(at)variosoft(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-26 00:11:47 |
| Message-ID: | 141313517704.20040726011147@variosoft.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi folks,
Peter Eisentraut wrote:
PE> If you use prepared statements (the details of which vary by >>
PE> programming language), you should be quite safe.
Peter - thanks for the suggestion. You are right: a poorly designed
function might simply concatenate the injected code - I hadn't really
thought it through. The key seems to be to treat the unsafe string as
a value so it can't leak out into the statement, and a parameterised
prepared statement would do this effectively, as you suggest. Very
elegant...
Bill Moran wrote:
BM> To protect yourself from SQL injections, just pass all your data through
BM> PQescapeString()
I'm no expert, but the papers I have been reading suggest that the
usual hygene advice such as don't display DB error messages and escape
unsafe strings doesn't cover all types of attack. See, for example,
this:
http://www.net-security.org/article.php?id=571
But so far as I can see, Peter's suggestion should provide a workable
robust solution. So thanks again!
------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephan Szabo | 2004-07-26 00:18:53 | Re: locale-specific sort algorithms undocumented? |
| Previous Message | Gaetano Mendola | 2004-07-25 23:41:05 | Re: constraitnt on case sensetive and case insensetive columns |