Skip site navigation (1) Skip section navigation (2)

Re: More PHP DB abstraction layer stuff

From: Greg Stark <gsstark(at)mit(dot)edu>
To: "Nigel J(dot) Andrews" <nandrews(at)investsystems(dot)co(dot)uk>
Cc: pgsql-general(at)postgresql(dot)org, pgsql-interfaces(at)postgresql(dot)org
Subject: Re: More PHP DB abstraction layer stuff
Date: 2003-01-24 17:22:42
Message-ID: 87k7gupin1.fsf@stark.dyndns.tv (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-interfaces
"Nigel J. Andrews" <nandrews(at)investsystems(dot)co(dot)uk> writes:

> One thing that always gets me is why people think quoting the ' in a string is
> a security feature when they don't allow for someone giving \' in the
> string. On the other hand I'm never sure how to protect against such 'odd
> number of escapes' attacks. Anyone got any clues? Does PQescape do it?

That just means you have to escape \ as well as '.

But the best way to deal with this is to use placeholders and prepared queries
and provide the data out of band. This completely sidesteps the issue and
guarantees you can't get it wrong by mistake ever. Mixing user-provided data
with program code is a recipe for security holes.

-- 
greg


In response to

Responses

pgsql-interfaces by date

Next:From: Dennis GearonDate: 2003-01-24 19:13:53
Subject: Re: More PHP DB abstraction layer stuff
Previous:From: Justin CliftDate: 2003-01-24 16:14:17
Subject: Re: More PHP DB abstraction layer stuff

pgsql-general by date

Next:From: Mikhail TerekhovDate: 2003-01-24 17:23:31
Subject: Re: DBD-Pg
Previous:From: frank_lupoDate: 2003-01-24 17:13:34
Subject: Re: pid in pg_locks not present in procpid pg_stat_activity

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group