Quick Links

Re: SQL safe input?

From:	Bruno Wolff III <bruno(at)wolff(dot)to>
To:	cbraden <cbraden(at)douglasknight(dot)com>
Cc:	pgsql-novice(at)postgresql(dot)org
Subject:	Re: SQL safe input?
Date:	2005-08-26 20:44:15
Message-ID:	20050826204415.GA11078@wolff.to
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-novice

On Fri, Aug 26, 2005 at 15:53:14 -0400,
cbraden <cbraden(at)douglasknight(dot)com> wrote:
> Folks,
>
> I would like to know how to prevent SQL attacks on a postgreSQL server.
>
> I know in mySQL you can put any input going to the DB through a filter
> which encodes anything which would be malicious into mySQL safe data. I
> need something similar in postgreSQL. Specifically as a php
> implementation if it exists.

IMO the best way to do this is to use bind parameters to pass user input
to queries. Then you don't need to escape anything. You might still check
for very long strings.

In response to

SQL safe input? at 2005-08-26 19:53:14 from cbraden

Responses

Re: SQL safe input? at 2005-08-26 20:57:26 from Philip Hallstrom
Re: SQL safe input? at 2005-08-26 22:40:02 from operationsengineer1
Re: SQL safe input? at 2005-08-27 03:32:03 from Bruno Wolff III

Browse pgsql-novice by date

	From	Date	Subject
Next Message	Philip Hallstrom	2005-08-26 20:57:26	Re: SQL safe input?
Previous Message	Steve Crawford	2005-08-26 20:29:09	Re: SQL "OR" Problem