| From: | "Albert REINER" <areiner(at)tph(dot)tuwien(dot)ac(dot)at> |
|---|---|
| To: | pgsql-sql(at)postgreSQL(dot)org |
| Subject: | Re: [SQL] security: escaping user-supplied data |
| Date: | 1999-10-12 12:22:39 |
| Message-ID: | 19991012142239.A16678@frithjof |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Tue, Oct 12, 1999 at 11:53:44AM +0200, Herouth Maoz wrote:
> At 02:31 +0200 on 12/10/1999, Jason Uhlenkott wrote:
>
>
> > The statements I generate are usually of the form:
> > INSERT INTO foo (bar, bas) VALUES ('abc', 'def');
> > but the 'abc' and 'def' come from an untrusted source, so if they supply
> > a string like "def'); delete from foo; '" they can make me do this:
> > INSERT INTO foo (bar, bas) VALUES ('abc', 'def'); delete from foo; '');
> >
> > What do I need to do to prevent this? My current plan is to prepend a
> > backslash to every single-quote, backslash, and semicolon in the
> > untrusted string. Are there any other special characters I should watch
> > out for? Is it possible to do something evil despite your special
> > characters being prepended with a backslash?
>
> I don't see why you would want to escape a semicolon. If you escape single
> quotes and backslashes, the above situation won't happen - the string won't
> be finished until the first unescaped quote - yours - is encountered.
> Semicolons are not special in strings.
>
> Herouth
I once posted a similar question to the pgsql-novice mailing
list. There, David Rugge (1 Aug 1999) told me to escape ', ", and %,
even though I am not quite sure why you have to escape " and %. But
now that I think of it: you also need to escape \, of course, or
backslashes will either get lost or, even worse, may escape the
closing quote (think of $def="\"). Thus, using Perl and Pg, you would
do:
use Pg;
$conn = ...;
$abc="abc";
$def="def";
$conn->exec("INSERT INTO foo (bar, bas) VALUES ('" .
&stdstr($abc) . "', '" . &stdstr($def) . "')";
sub stdstr {
local $or = $_[0];
$or =~ s /\'/\\\'/g;
$or =~ s /\"/\\\"/g;
$or =~ s /%/\\%/g;
$or =~ s /\\/\\\\/g;
return $or;
}
Hope that helps,
Albert.
--
---------------------------------------------------------------------------
Post an / Mail to / Skribu al: Albert Reiner <areiner(at)tph(dot)tuwien(dot)ac(dot)at>
---------------------------------------------------------------------------
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Steven M. Wheeler | 1999-10-12 14:55:49 | Re: [SQL] Questions about vacuum analyze |
| Previous Message | Herouth Maoz | 1999-10-12 09:53:44 | Re: [SQL] security: escaping user-supplied data |