Re: Protection from SQL injection

From: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
To: pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-27 09:14:11
Message-ID: 5f211bd50804270214s852989me86c61caecadb5b@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

Hi,

> providing a mode in which the server would reject PQexec strings containing more than one query.

That wouldn't help a lot. The simple SQL injection is not detected:

ResultSet rs = stat.executeQuery(
"SELECT * FROM USERS WHERE PASSWORD='" + password + "'");

An attacker would only need to use the following password:

' OR 1=1

The the SQL statements is still only one query:

SELECT * FROM USERS WHERE PASSWORD='' OR 1=1

Regards,
Thomas

In response to

Browse pgsql-sql by date

  From Date Subject
Next Message Ivan Sergio Borgonovo 2008-04-27 09:29:09 Re: Protection from SQL injection
Previous Message Thomas Mueller 2008-04-27 09:08:56 Re: Protection from SQL injection