Geoff Caplan <geoff(at)variosoft(dot)com> wrote:
> BM> To protect yourself from SQL injections, just pass all your data through
> BM> PQescapeString()
> I'm no expert, but the papers I have been reading suggest that the
> usual hygene advice such as don't display DB error messages and escape
> unsafe strings doesn't cover all types of attack. See, for example,
> But so far as I can see, Peter's suggestion should provide a workable
> robust solution. So thanks again!
Hope that works for you. I still think you're ignoring basic data validation.
1) If the untrusted value is a string, using a proper escape sequence should
make it safe.
2) If the untrusted value is not a string, then it should be tested for
proper value (i.e. if it should be a number, it should be ensured that
it _is_ a number, and nothing else) invalid values should trigger an
I don't see how storing the SQL in some different location is the correct
way to fix anything? Besides, the suggestions made in that paper only work
with ASP and JDBC ... how do you accomplish the same thing in PHP, for
Just my opinion. Take it or leave it as you see fit.
In response to
pgsql-general by date
|Next:||From: Jim Seymour||Date: 2004-07-26 02:40:12|
|Subject: Re: Sql injection attacks|
|Previous:||From: Tom Lane||Date: 2004-07-26 00:27:35|
|Subject: Re: locale-specific sort algorithms undocumented? |