Skip site navigation (1) Skip section navigation (2)

Re: Sql injection attacks

From: "Daniel Verite" <daniel(at)manitou-mail(dot)org>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-28 16:45:50
Message-ID: (view raw or whole thread)
Lists: pgsql-general
	 Harald Fuchs writes

> Perhaps you mean something like the following:
>   my $sth = $dbh->prepare (q{
>     SELECT whatever
>     FROM mytable
>     WHERE somecol LIKE ? || '%'
>   });
>   $sth->execute ($input);
> Even if $input contains '%' or '_', those characters get properly escaped.

Hum, what makes you think that? if $input is "_foo%", then the DBD
driver will produce this query:
SELECT whatever FROM mytable WHERE somecol like  '_foo%'||'%'
The % and _ characters aren't escaped at all.

That can be confirmed by setting $dbh->trace_level to something greater or equal
than 2 and looking at the Pg DBD driver's output.

 PostgreSQL-powered mail user agent and storage:

In response to


pgsql-general by date

Next:From: JayDate: 2004-07-28 18:12:12
Subject: php -postgresql
Previous:From: Chris GamacheDate: 2004-07-28 16:42:38
Subject: Tsearch2 dump/reload problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2015 The PostgreSQL Global Development Group