| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | Geoff Caplan <geoff(at)variosoft(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-25 23:07:55 |
| Message-ID: | 200407260107.55560.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Geoff Caplan wrote:
> I'm new to Postgres and trying to get up to speed on the security
> issues. There seems to be remarkably little Postgres specific stuff
> on preventing SQL injection attacks.
If you use prepared statements (the details of which vary by programming
language), you should be quite safe.
> Most of the online literature is on MS SQL Server. There, the
> consensus seems to be that the range of potential attacks is so wide
> that attempting to spot attack signatures in posted data is a doomed
> enterprise, and that the safest general approach for any dynamically
> built query is to execute it as a stored procedure.
That won't necessarily help you on PostgreSQL, because in stored
procedures you can paste together queries from user-provided strings.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bill Moran | 2004-07-25 23:17:12 | Re: Sql injection attacks |
| Previous Message | Tom Lane | 2004-07-24 14:34:52 | Re: Search in code |