| From: | Jason Uhlenkott <jpu31(at)uhlenkott(dot)net> |
|---|---|
| To: | pgsql-sql(at)postgresql(dot)org |
| Subject: | security: escaping user-supplied data |
| Date: | 1999-10-12 00:31:04 |
| Message-ID: | 38028148.8066E930@uhlenkott.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
I am writing a C program that will collect data from various untrusted
sources, and put it in a postgresql database by PQexec'ing an INSERT
INTO statement.
The statements I generate are usually of the form:
INSERT INTO foo (bar, bas) VALUES ('abc', 'def');
but the 'abc' and 'def' come from an untrusted source, so if they supply
a string like "def'); delete from foo; '" they can make me do this:
INSERT INTO foo (bar, bas) VALUES ('abc', 'def'); delete from foo; '');
What do I need to do to prevent this? My current plan is to prepend a
backslash to every single-quote, backslash, and semicolon in the
untrusted string. Are there any other special characters I should watch
out for? Is it possible to do something evil despite your special
characters being prepended with a backslash?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 1999-10-12 01:21:02 | Re: [SQL] Question on Inheritance and Primary Keys. |
| Previous Message | Saltsgaver, Scott | 1999-10-11 20:20:55 | Reporting errors when a rule fails. |