Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it>
To: pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-27 17:18:40
Message-ID: 20080427191840.494b6bf7@dawn.webthatworks.it (view raw or flat)
Thread:
Lists: pgsql-sql
On Sun, 27 Apr 2008 11:55:18 -0400
Joe <dev(at)freedomcircle(dot)net> wrote:

> Ivan Sergio Borgonovo wrote:
> > It'd be nice to have a wrapper that let you write prepared
> > statements this way:
> >
> > "select a.id, b.name from a join b on a.id=b.id where
> > a.status=$variable1 and b.id>$variable2 etc... but that's a pretty
> > good change to any language parser.

> Python already supports something like that. See PEP 249 
> (http://www.python.org/dev/peps/pep-0249/), under Module Interface,
> the description of the paramstyle parameter. Psycopg2 supports both
> the "format" (C printf) and "pyformat" styles. See the last section
> on this page for an example using the pyformat style: 
> http://www.devx.com/opensource/Article/29071/0/page/3.

That's better than nothing but it is still a lot of code duplication.
You've to write column names in the sql statement and in the array
and... column values are not contextual to the statement.
That's easy... while what I wrote above does look as requiring a
really special parser.

Furthermore from the example it looks as if all this is going to
miss the scope to prevent sql injection since it doesn't support
prepared statements.


-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it


In response to

Responses

pgsql-sql by date

Next:From: JoeDate: 2008-04-27 18:25:06
Subject: Re: Protection from SQL injection
Previous:From: Mag GamDate: 2008-04-27 16:14:49
Subject: Re: Curious about wide tables.

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group