Skip site navigation (1) Skip section navigation (2)

Re: Sql injection attacks

From: Bill Moran <wmoran(at)potentialtech(dot)com>
To: Geoff Caplan <geoff(at)variosoft(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-26 01:11:33
Message-ID: 20040725211133.0e798140.wmoran@potentialtech.com (view raw or flat)
Thread:
Lists: pgsql-general
Geoff Caplan <geoff(at)variosoft(dot)com> wrote:
> BM> To protect yourself from SQL injections, just pass all your data through
> BM> PQescapeString()
> 
> I'm no expert, but the papers I have been reading suggest that the
> usual hygene advice such as don't display DB error messages and escape
> unsafe strings doesn't cover all types of attack. See, for example,
> this:
> 
> http://www.net-security.org/article.php?id=571
> 
> But so far as I can see, Peter's suggestion should provide a workable
> robust solution. So thanks again!

Hope that works for you.  I still think you're ignoring basic data validation.

Simply put:
1) If the untrusted value is a string, using a proper escape sequence should
   make it safe.
2) If the untrusted value is not a string, then it should be tested for
   proper value (i.e. if it should be a number, it should be ensured that
   it _is_ a number, and nothing else) invalid values should trigger an
   error.

I don't see how storing the SQL in some different location is the correct
way to fix anything?  Besides, the suggestions made in that paper only work
with ASP and JDBC ... how do you accomplish the same thing in PHP, for
example?

Just my opinion.  Take it or leave it as you see fit.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

In response to

Responses

pgsql-general by date

Next:From: Jim SeymourDate: 2004-07-26 02:40:12
Subject: Re: Sql injection attacks
Previous:From: Tom LaneDate: 2004-07-26 00:27:35
Subject: Re: locale-specific sort algorithms undocumented?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group