Skip site navigation (1) Skip section navigation (2)

Re: Protecting a web app from Postgresql injection

From: Andres Ledesma <alchir(at)yahoo(dot)com>
To: Mary Anderson <maryfran(at)demog(dot)berkeley(dot)edu>, pgsql-novice(at)postgresql(dot)org
Subject: Re: Protecting a web app from Postgresql injection
Date: 2008-02-01 05:19:31
Message-ID: 766490.5838.qm@web38012.mail.mud.yahoo.com (view raw or flat)
Thread:
Lists: pgsql-novice
 Hi,

It my be interesting to read this : http://lwn.net/Articles/185813/

And, IMHO: 
In a web app you can take advantage of the posibility of having several layers, the n-layers model, to validate and filter, even change at your need the users input when security of your apps is at risk.  In that sense avoiding undesired chars in the db tables start at the web pages in form of jsvascript validation, goes on on the middleware, and can be done last time in functions that inserts content in tables. 

Personally I do prefer to use  functions ( stored procs ) for inserts and updates of table contents, never use SQL code neither in web pages, neither in middleware objects, always  there is a function that insert or modify the tables content. This allows me to have the db structure deep at the bottom layer of the app, and only people dealing with db knows the real structure of the tables, or db.

Hope this simple hints helps.

Andy

In response to

pgsql-novice by date

Next:From: Robert BernabeDate: 2008-02-01 07:48:34
Subject: Re: Group Roles are now Login Roles in pgAdmin?
Previous:From: Chander GanesanDate: 2008-02-01 03:01:13
Subject: Re: Can't get MS Access via ODBC (or MapServer) to 'see' the data unless the user is a 'super user'...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group