| From: | "Matthew D(dot) Fuller" <fullermd(at)over-yonder(dot)net> |
|---|---|
| To: | Mage <mage(at)mage(dot)hu> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-26 11:22:13 |
| Message-ID: | 20040726112213.GT22300@over-yonder.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Jul 26, 2004 at 08:08:35AM +0200 I heard the voice of
Mage, and lo! it spake thus:
> Bill Moran wrote:
> >
> >Simply put:
> >1) If the untrusted value is a string, using a proper escape
> > sequence should make it safe.
>
> in pgsql (and mysql) you can escape almost everything.
>
> update table set a = '5' is corrent, even is column a is integer type.
> You can't escape the null value.
Which, IMO, is a great thing; I studiously trained myself to use the
escaping functions on every value I ever use in a query. If you
escape everything unconditionally, without worrying about what type
the column is, there's a lot less chance for mistakes and oversights.
--
Matthew Fuller (MF4839) | fullermd(at)over-yonder(dot)net
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
"The only reason I'm burning my candle at both ends, is because I
haven't figured out how to light the middle yet"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Prabu Subroto | 2004-07-26 11:34:07 | selecting more that 2 tables based on 1 subquery find an error |
| Previous Message | Magnus Hagander | 2004-07-26 10:03:19 | Re: Sql injection attacks |