| From: | Herouth Maoz <herouth(at)oumail(dot)openu(dot)ac(dot)il> |
|---|---|
| To: | Jason Uhlenkott <jpu31(at)uhlenkott(dot)net>, pgsql-sql(at)postgreSQL(dot)org |
| Subject: | Re: [SQL] security: escaping user-supplied data |
| Date: | 1999-10-12 09:53:44 |
| Message-ID: | l03130300b428b43b893a@[147.233.159.109] |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
At 02:31 +0200 on 12/10/1999, Jason Uhlenkott wrote:
> The statements I generate are usually of the form:
> INSERT INTO foo (bar, bas) VALUES ('abc', 'def');
> but the 'abc' and 'def' come from an untrusted source, so if they supply
> a string like "def'); delete from foo; '" they can make me do this:
> INSERT INTO foo (bar, bas) VALUES ('abc', 'def'); delete from foo; '');
>
> What do I need to do to prevent this? My current plan is to prepend a
> backslash to every single-quote, backslash, and semicolon in the
> untrusted string. Are there any other special characters I should watch
> out for? Is it possible to do something evil despite your special
> characters being prepended with a backslash?
I don't see why you would want to escape a semicolon. If you escape single
quotes and backslashes, the above situation won't happen - the string won't
be finished until the first unescaped quote - yours - is encountered.
Semicolons are not special in strings.
Herouth
--
Herouth Maoz, Internet developer.
Open University of Israel - Telem project
http://telem.openu.ac.il/~herutma
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Albert REINER | 1999-10-12 12:22:39 | Re: [SQL] security: escaping user-supplied data |
| Previous Message | Mathijs Brands | 1999-10-12 07:40:41 | Re: [SQL] Time of table's last changes? |