| From: | Andrew McMillan <andrew(at)catalyst(dot)net(dot)nz> |
|---|---|
| To: | Ed Finkler <coj(at)cerias(dot)purdue(dot)edu> |
| Cc: | Volkan YAZICI <volkan(dot)yazici(at)gmail(dot)com>, pgsql-php(at)postgresql(dot)org |
| Subject: | Re: Effectiveness of pg_escape_string at blocking SQL |
| Date: | 2005-05-28 05:01:20 |
| Message-ID: | 1117256480.30150.172.camel@lamb.mcmillan.net.nz |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
On Fri, 2005-05-27 at 11:33 -0500, Ed Finkler wrote:
> Volkan YAZICI wrote:
>
> [snip]
>
> > If you think, they're not enough for SQL-Injection attacks, I'd advice
> > you to patch libpq code, not PHP.
>
> This is very helpful information. My initial thinking is that this
> wouldn't be effective at catching SQL injections, but I'll need to
> bounce this off a few other folks.
Given the modus operandi of an SQL inject attack, this should be
perfectly effective at stopping them.
As Bruno said, however, the "bind parameters" approach is a better
approach in general.
Cheers,
Andrew McMillan.
-------------------------------------------------------------------------
Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St
DDI: +64(4)803-2201 MOB: +64(272)DEBIAN OFFICE: +64(4)499-2267
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Volkan YAZICI | 2005-05-28 07:01:33 | Re: Effectiveness of pg_escape_string at blocking SQL injection attacks |
| Previous Message | Bruno Wolff III | 2005-05-27 18:13:41 | Re: Effectiveness of pg_escape_string at blocking SQL injection |