| From: | brian <brian(at)zijn-digital(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Secure "where in(a,b,c)" clause. |
| Date: | 2008-04-03 17:36:19 |
| Message-ID: | 47F51593.1080205@zijn-digital.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
William Temperley wrote:
> Hi All
>
> I hope this isn't a FAQ, but does anyone have any suggestions as to
> how to make a query that selects using:
> "where in(<comma delimited list>)"
> secure from an sql injection point of view?
>
> I have grid of tiles I'm using to reference geographical points.
> These tiles are identical to the tiling system google maps uses. My
> google maps application works out the tiles it wants to display as a
> list of tile names, and sends this list to a php script.
>
> This works very well, however I'm currently directly concatenating a sql query:
>
> select st_collect(the_geom) from tiles where tilename in
> (<comma delimited list>))
>
> Which leaves my application vulnerable to sql injection.
>
> As the length of the comma delimited list is highly variable I don't
> think I can use a prepared query to increase security.
>
Aside from using a prepared statement, your application code can simply
ensure that each named tile follows whatever naming conventions you have
in place. A very basic regex should do.
b
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Svenne Krap | 2008-04-03 17:36:38 | Re: [GENERAL] SHA1 on postgres 8.3 |
| Previous Message | rihad | 2008-04-03 17:32:00 | Re: choosing the right locking mode |