Skip site navigation (1) Skip section navigation (2)

postgreSQL web form; Security

From: Davi Leal <davileal(at)terra(dot)es>
To: pgsql-php(at)postgresql(dot)org
Cc: web-dev(at)gnuherds(dot)org
Subject: postgreSQL web form; Security
Date: 2003-07-14 19:10:14
Message-ID: 200307142110.14069.davileal@terra.es (view raw or flat)
Thread:
Lists: pgsql-php
Hi,

We are developing a web page: PHP & postgreSQL. We can transform the below (a) 
query to get the (b) query, if we add,
 "01001'); DELETE * FROM tbHosp; INSERT INTO tbRev (Id) VALUES ('01001"
, as the value of Id in the web form.

(a) INSERT INTO tbRev (Id) VALUES ('01001');

(b) INSERT INTO tbRev (Id) VALUES ('01001'); DELETE FROM tbHosp; INSERT INTO 
tbRev (Id) VALUES ('01001');


We are able to delete registers. We have checked and it works!. Microsoft 
Access 2000 does not allow me execute a composed query. It warns with 
something similar to "ERROR; -2147217900 [Microsoft][Microsoft Access ODBC 
Driver] Characters after the end of the first SQL query".


How can we avoid this security risk using PHP & postgreSQL?.

Regards,
Davi


Responses

pgsql-php by date

Next:From: Lynna LandstreetDate: 2003-07-15 19:38:42
Subject: Re: pg_query undefined?
Previous:From: Gerd TerlutterDate: 2003-07-13 13:59:36
Subject: Re: pg_query undefined?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group