Skip site navigation (1) Skip section navigation (2)

Re: Sql injection attacks

From: "Daniel Verite" <daniel(at)manitou-mail(dot)org>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-28 16:45:50
Message-ID: 20040728184609.1900596@uruguay.brainstorm.fr (view raw or flat)
Thread:
Lists: pgsql-general
	 Harald Fuchs writes

> Perhaps you mean something like the following:
> 
>   my $sth = $dbh->prepare (q{
>     SELECT whatever
>     FROM mytable
>     WHERE somecol LIKE ? || '%'
>   });
>   $sth->execute ($input);
> 
> Even if $input contains '%' or '_', those characters get properly escaped.

Hum, what makes you think that? if $input is "_foo%", then the DBD
driver will produce this query:
SELECT whatever FROM mytable WHERE somecol like  '_foo%'||'%'
The % and _ characters aren't escaped at all.

That can be confirmed by setting $dbh->trace_level to something greater or equal
than 2 and looking at the Pg DBD driver's output.

-- 
 Daniel
 PostgreSQL-powered mail user agent and storage: http://www.manitou-mail.org

In response to

Responses

pgsql-general by date

Next:From: JayDate: 2004-07-28 18:12:12
Subject: php -postgresql
Previous:From: Chris GamacheDate: 2004-07-28 16:42:38
Subject: Tsearch2 dump/reload problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group