Re: Protection from SQL injection

From: Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it>
To: pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-27 17:18:40
Message-ID: 20080427191840.494b6bf7@dawn.webthatworks.it
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

On Sun, 27 Apr 2008 11:55:18 -0400
Joe <dev(at)freedomcircle(dot)net> wrote:

> Ivan Sergio Borgonovo wrote:
> > It'd be nice to have a wrapper that let you write prepared
> > statements this way:
> >
> > "select a.id, b.name from a join b on a.id=b.id where
> > a.status=$variable1 and b.id>$variable2 etc... but that's a pretty
> > good change to any language parser.

> Python already supports something like that. See PEP 249
> (http://www.python.org/dev/peps/pep-0249/), under Module Interface,
> the description of the paramstyle parameter. Psycopg2 supports both
> the "format" (C printf) and "pyformat" styles. See the last section
> on this page for an example using the pyformat style:
> http://www.devx.com/opensource/Article/29071/0/page/3.

That's better than nothing but it is still a lot of code duplication.
You've to write column names in the sql statement and in the array
and... column values are not contextual to the statement.
That's easy... while what I wrote above does look as requiring a
really special parser.

Furthermore from the example it looks as if all this is going to
miss the scope to prevent sql injection since it doesn't support
prepared statements.

--
Ivan Sergio Borgonovo
http://www.webthatworks.it

In response to

Responses

Browse pgsql-sql by date

  From Date Subject
Next Message Joe 2008-04-27 18:25:06 Re: Protection from SQL injection
Previous Message Mag Gam 2008-04-27 16:14:49 Re: Curious about wide tables.