| From: | Geoff Caplan <geoff(at)variosoft(dot)com> |
|---|---|
| To: | Doug McNaught <doug(at)mcnaught(dot)org> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-26 14:16:28 |
| Message-ID: | 23364191259.20040726151628@variosoft.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Doug,
DM> Geoff Caplan <geoff(at)variosoft(dot)com> writes:
>> But in web work, you are often using GET/POST data directly in your
>> SQL clauses, so the untrusted data is part of the query syntax and not
>> just a value.
DM> Can you give an example of this that isn't also an example of
DM> obviously bad application design?
I'm no expert to put it mildly, but if you Google for "SQL Injection
Attack" you'll find a lot of papers by security agencies and
consultancies. You could start with these:
www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.net-security.org/article.php?id=142
They are SQL Server oriented, but many of the issues would apply to
Postgres.
------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Doug McNaught | 2004-07-26 14:30:07 | Re: Sql injection attacks |
| Previous Message | Jerry LeVan | 2004-07-26 13:52:28 | isNumeric function? |