| From: | Andrew Sullivan <ajs(at)commandprompt(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-05-01 13:13:27 |
| Message-ID: | 20080501131327.GB6253@commandprompt.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Apr 30, 2008 at 05:33:38PM -0400, Tom Lane wrote:
> you're at risk of some clients being secure and some not. I thought
> what we were discussing was a server-side GUC parameter that would
> disallow more than one SQL statement per PQexec.
That was certainly what I was intending, yes.
The _principal_ trick with SQL injection is to fool the application
into somehow handing a ";" followed by an arbitrary SQL statement.
There are of course other things one can do, but most of them are
constrained to abuse of statements your application already performs.
This injection problem, on the other hand, allows an attacker to do
whatever they want.
Obviously, if the server simply throws an error whenever one tries to
do this, the attack will be foiled. It sounded to me like a patch
that implemented this was already rejected.
I agree that it's a bit filthy, and I'd way prefer that people build
their applications such that these vectors aren't open in the first
place. But given the prevalence of quick and dirty development with
code one hasn't always completely vetted, this might be a nice feature
in some environments. As long as it's possible to turn it off (we'd
probably need to make it require a server restart to make it really
effective), I think it could be useful.
A
--
Andrew Sullivan
ajs(at)commandprompt(dot)com
+1 503 667 4564 x104
http://www.commandprompt.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Chernow | 2008-05-01 13:53:41 | Odd timezone backend output |
| Previous Message | Gregory Stark | 2008-05-01 10:52:20 | Re: [0/4] Proposal of SE-PostgreSQL patches |