Skip site navigation (1) Skip section navigation (2)

Re: Sql injection attacks

From: Lincoln Yeoh <lyeoh(at)pop(dot)jaring(dot)my>
To: hf0722x(at)protecting(dot)net, pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-28 21:11:08
Message-ID: 5.2.1.1.1.20040729045139.02b49448@localhost (view raw or flat)
Thread:
Lists: pgsql-general
At 05:30 PM 7/28/2004 +0200, Harald Fuchs wrote:

>Even if $input contains '%' or '_', those characters get properly escaped.

What versions are you using?

The versions I'm using are a bit old.

DBD::Pg 1.22 (3 versions old)
Postgresql 7.3.4

Schema+data:
create table test3 (a integer, b text);
insert into test3 (a,b) values (1,'a');
insert into test3 (a,b) values (2,'b');
insert into test3 (a,b) values (3,'c');
insert into test3 (a,b) values (4,'d');

code:
#!/usr/bin/perl -wT
use strict;
use DBI();
my ($DBNAME,$DBUSER,$DBPASS)=('DB','user','pass');
my $dbh = DBI->connect('DBI:Pg(AutoCommit => 
0):dbname='.$DBNAME,$DBUSER,$DBPASS
);
   dbdo("update test3 set a=1-? where a=4","error testing",-1);
   $dbh->commit;
   $dbh->disconnect();
   exit 0;
sub dbdo {
my $SQL=shift||'';
#       dolog('DEBUG',$SQL);
my $errmsg=shift||'Unable to run database query!';
my      $sth=$dbh->prepare($SQL) or die($errmsg.'|'.$DBI::errstr);
#       dolog('DEBUG','prepared');
my      $rv='';
         $rv=$sth->execute(@_) or die($errmsg.'|'.$DBI::errstr);
#       dolog('DEBUG','executed');
         return ($sth,$rv);
}





In response to

pgsql-general by date

Next:From: Glen ParkerDate: 2004-07-28 21:26:18
Subject: Win32 binary
Previous:From: Geoff CaplanDate: 2004-07-28 20:08:56
Subject: Re: php -postgresql

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group