Skip site navigation (1) Skip section navigation (2)

Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)

From: John R Pierce <pierce(at)hogranch(dot)com>
To: David Kerr <dmk(at)mr-paradox(dot)net>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
Date: 2010-02-05 20:09:57
Message-ID: 4B6C7B15.2030406@hogranch.com (view raw or flat)
Thread:
Lists: pgsql-general
David Kerr wrote:
> Howdy all,
>
> We're using Postgres 8.3 with all of our apps connecting to the database
> with Hibernate / JPA.
>
> Our security team is concerned about SQL Injection attacks, and would 
> like to implement some mod_security rules to protect against it.
>
> From what I've read Postgres vanilla is pretty robust when it comes to
> dealing with SQL Injection attacks,
>

that would be a function of how you use Postgresql.   if you do the 
typical PHP hacker style of building statements with inline values then 
executing them, you're vunerable unless you totally sanitize all your 
inputs.     see http://xkcd.com/327/

if you use parameterized calls (easy in perl, java, etc but not so easy 
in php), you're should be immune.  in the past there were some issues 
with specific evil mis-coded UTF8 sequences, but afaik, thats been 
cleared up for quite a while.


> and when you put an abstraction layer like Hibernate on top of it, 
> you're basically rock solid against them.

I would assume so, but I'm not familiar with the implementation details 
of Hibernate.


> Does anyone have experience here? One of our security people found a 
> generic mod_security config file that had a couple of postgres entries 
> in it. Is there a full Postgres config for mod_security that the 
> community recommends?
>
> Can anyone give me a good pros or cons of using mod_security when you 
> have Postgres + Hibernate?
>

isn't mod_security purely for Apache httpd applications?  if you're not 
using apache httpd, it seems like there's no point in using mod_security.




In response to

Responses

pgsql-general by date

Next:From: Ben ChobotDate: 2010-02-05 20:14:09
Subject: questions about a table's row estimates
Previous:From: David KerrDate: 2010-02-05 19:53:32
Subject: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group