Sql injection attacks

From: Geoff Caplan <geoff(at)variosoft(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Sql injection attacks
Date: 2004-07-19 19:14:28
Message-ID: 34204823911.20040719201428@variosoft.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi folks,

I'm new to Postgres and trying to get up to speed on the security
issues. There seems to be remarkably little Postgres specific stuff on
preventing SQL injection attacks.

Most of the online literature is on MS SQL Server. There, the
consensus seems to be that the range of potential attacks is so wide
that attempting to spot attack signatures in posted data is a doomed
enterprise, and that the safest general approach for any dynamically
built query is to execute it as a stored procedure.

In SQL Server, this reportedly works because the syntax of the query
is pre-compiled, and the variables passed in are treated strictly as
data and cannot alter the syntax. So any malicious use of "AND",
"UNION", ";" etc in submitted data will fail.

Can anyone confirm that this would also apply to Postgres Query
Language (SQL) functions? The effectiveness of moving the queries into
the database against SQL injection attack would seem to depend on the
query engine internals. Will using the SQL functions provide the
robust protection I am looking for?

------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154

Responses

Browse pgsql-general by date

  From Date Subject
Next Message sandra ruiz 2004-07-19 20:58:08 system catalog and varchar datatype
Previous Message Scrappy 2004-07-19 18:25:23 Re: