From: | "Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com> |
---|---|
To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Protection from SQL injection |
Date: | 2008-04-30 17:37:55 |
Message-ID: | 65937bea0804301037q4febd3a3pf680db64387893e2@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Apr 30, 2008 at 10:58 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com> writes:
> > Maybe we can extend the SQL's WITH clause do declare the constant along
> with
> > the query, and not separate from the query.
>
> > WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10
> > SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;
>
> [ scratches head... ] And that will provide SQL injection protection how?
Well, if the the query was:
WITH CONSTANT c_jobrole = <value from a FORM text field>, CONSTANT c_dept =
10
SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;
And if the attack supplied a value 'clerk OR 1=1' the final query (after
replacing constants) would look like this:
SELECT * FROM emp WHERE jobrole = 'clerk OR 1=1' and deptno = 10;
The attacker was not able to inject any new code there.
(reiterates: and let postgres allow literals only in the WITH clause)
>
> Anyway, you hardly need new syntax to do that, I'd expect
>
> WITH SELECT 'clerk' AS c_jobrole ...
>
> to accomplish it just fine.
>
I am not sure I understood this example.
Best regards,
--
gurjeet[(dot)singh](at)EnterpriseDB(dot)com
singh(dot)gurjeet(at){ gmail | hotmail | indiatimes | yahoo }.com
EnterpriseDB http://www.enterprisedb.com
Mail sent from my BlackLaptop device
From | Date | Subject | |
---|---|---|---|
Next Message | Aidan Van Dyk | 2008-04-30 17:50:25 | Re: Protection from SQL injection |
Previous Message | Tom Lane | 2008-04-30 17:28:19 | Re: Protection from SQL injection |