Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
To: pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-27 09:14:11
Message-ID: 5f211bd50804270214s852989me86c61caecadb5b@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-sql
Hi,

> providing a mode in which the server would reject PQexec strings containing more than one query.

That wouldn't help a lot. The simple SQL injection is not detected:

ResultSet rs = stat.executeQuery(
  "SELECT * FROM USERS WHERE PASSWORD='" + password + "'");

An attacker would only need to use the following password:

' OR 1=1

The the SQL statements is still only one query:

SELECT * FROM USERS WHERE PASSWORD='' OR 1=1

Regards,
Thomas

In response to

pgsql-sql by date

Next:From: Ivan Sergio BorgonovoDate: 2008-04-27 09:29:09
Subject: Re: Protection from SQL injection
Previous:From: Thomas MuellerDate: 2008-04-27 09:08:56
Subject: Re: Protection from SQL injection

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group