Skip site navigation (1) Skip section navigation (2)

Re: Sql injection attacks

From: Geoff Caplan <geoff(at)variosoft(dot)com>
To: Doug McNaught <doug(at)mcnaught(dot)org>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-26 14:16:28
Message-ID: 23364191259.20040726151628@variosoft.com (view raw or flat)
Thread:
Lists: pgsql-general
Doug,

DM> Geoff Caplan <geoff(at)variosoft(dot)com> writes:

>> But in web work, you are often using GET/POST data directly in your
>> SQL clauses, so the untrusted data is part of the query syntax and not
>> just a value.

DM> Can you give an example of this that isn't also an example of
DM> obviously bad application design?

I'm no expert to put it mildly, but if you Google for "SQL Injection
Attack" you'll find a lot of papers by security agencies and
consultancies. You could start with these:

www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.net-security.org/article.php?id=142

They are SQL Server oriented, but many of the issues would apply to
Postgres.

------------------ 
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154 


In response to

Responses

pgsql-general by date

Next:From: Doug McNaughtDate: 2004-07-26 14:30:07
Subject: Re: Sql injection attacks
Previous:From: Jerry LeVanDate: 2004-07-26 13:52:28
Subject: isNumeric function?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group