Skip site navigation (1) Skip section navigation (2)

Re: Sanitizing text being stored in text fields - some characters cause problems

From: Steve Crawford <scrawford(at)pinpointresearch(dot)com>
To: Tanstaafl <tanstaafl(at)libertytrek(dot)org>
Cc: pgsql-novice(at)postgresql(dot)org
Subject: Re: Sanitizing text being stored in text fields - some characters cause problems
Date: 2012-02-24 19:33:17
Message-ID: 4F47E5FD.5090806@pinpointresearch.com (view raw or flat)
Thread:
Lists: pgsql-novice
On 02/24/2012 09:58 AM, Tanstaafl wrote:
> As you may have surmised, I am not a programmer, I'm simply trying to 
> get some pointers for our developers. Like I said in my last email, 
> they are not very well versed in postgresql yet

I have to expand a bit on my prior email. I'm trying to be charitable, 
but validating and properly escaping inputs is a basic mandatory part of 
professional software development. No TODO later. No "when I get time." 
No exceptions. The manager of your developers may need to pull a 
Khrushchev and pound the table with his shoe to get everyone's 
attention. Certainly no unvalidated inputs should get through a code-review.

Sadly, you are in good company. Sony Pictures, PBS, HBGary Federal (a 
security company no-less) and even mysql.com made the news in the last 
few months due to breaches tied to SQL injection vulnerabilities.

One of my standard interview questions is "what are two or three of the 
top 10 software security-flaws/programming-errors." SQL injection has 
been #1 on the CWE/SANS most-dangerous software error list 
(http://cwe.mitre.org/top25/) for so many years that I assume the 
question is a softball. Unfortunately I often just get blank stares.

Given the situation you described related to SQL there is a reasonable 
chance you are at risk of OS command injection, buffer-overflow and 
cross-site scripting attacks (#s 2, 3 and 4) as well. Fortunately, 
proper validation and escaping is the common theme for all of them.

Don't assume that nobody will notice or figure out the vulnerability. 
Automated SQL-injection vulnerability scanners are a dime a dozen.

Cheers,
Steve


In response to

Responses

pgsql-novice by date

Next:From: TanstaaflDate: 2012-02-24 21:14:29
Subject: Re: Sanitizing text being stored in text fields - some characters cause problems
Previous:From: Léa MassiotDate: 2012-02-24 19:07:14
Subject: Re: Clusters list - Windows PostgreSQL server

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group