Skip site navigation (1) Skip section navigation (2)

Re: Sanitizing text being stored in text fields - some characters cause problems

From: Tanstaafl <tanstaafl(at)libertytrek(dot)org>
To: pgsql-novice(at)postgresql(dot)org
Subject: Re: Sanitizing text being stored in text fields - some characters cause problems
Date: 2012-02-24 21:14:29
Message-ID: 4F47FDB5.8060703@libertytrek.org (view raw or flat)
Thread:
Lists: pgsql-novice
Thanks very much Steve for the candid response, and more importantly the 
links to get us started down the straight and narrow...

I will be taking this all to heart, and have already scheduled a 'come 
to Jesus' meeting for Monday for the Project Manager.

Simon

On 2012-02-24 2:33 PM, Steve Crawford <scrawford(at)pinpointresearch(dot)com> 
wrote:
> On 02/24/2012 09:58 AM, Tanstaafl wrote:
>> As you may have surmised, I am not a programmer, I'm simply trying to
>> get some pointers for our developers. Like I said in my last email,
>> they are not very well versed in postgresql yet
>
> I have to expand a bit on my prior email. I'm trying to be charitable,
> but validating and properly escaping inputs is a basic mandatory part of
> professional software development. No TODO later. No "when I get time."
> No exceptions. The manager of your developers may need to pull a
> Khrushchev and pound the table with his shoe to get everyone's
> attention. Certainly no unvalidated inputs should get through a
> code-review.
>
> Sadly, you are in good company. Sony Pictures, PBS, HBGary Federal (a
> security company no-less) and even mysql.com made the news in the last
> few months due to breaches tied to SQL injection vulnerabilities.
>
> One of my standard interview questions is "what are two or three of the
> top 10 software security-flaws/programming-errors." SQL injection has
> been #1 on the CWE/SANS most-dangerous software error list
> (http://cwe.mitre.org/top25/) for so many years that I assume the
> question is a softball. Unfortunately I often just get blank stares.
>
> Given the situation you described related to SQL there is a reasonable
> chance you are at risk of OS command injection, buffer-overflow and
> cross-site scripting attacks (#s 2, 3 and 4) as well. Fortunately,
> proper validation and escaping is the common theme for all of them.
>
> Don't assume that nobody will notice or figure out the vulnerability.
> Automated SQL-injection vulnerability scanners are a dime a dozen.
>
> Cheers,
> Steve
>
>


In response to

Responses

pgsql-novice by date

Next:From: Nicholas WilsonDate: 2012-02-24 21:32:35
Subject: postgres will not start up - corrupted on restart
Previous:From: Steve CrawfordDate: 2012-02-24 19:33:17
Subject: Re: Sanitizing text being stored in text fields - some characters cause problems

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group