| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: disable multiple queries |
| Date: | 2000-08-02 20:25:47 |
| Message-ID: | 1203.965247947@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Poul L. Christiansen" <plc(at)faroenet(dot)fo> writes:
> I'm developing an Cold Fusion (similar to PHP) application and I have a
> security problem. When I load a page "test.cfm?articleid=5" someone can
> alter the URL to
> "test.cfm?articleid=5;create%20table%20plc%20(plc%20int2)" if the hacker
> wanted to create a table.
> The sql passed to PostgreSQL is: "select * from article where articleid
> = #Url.ArticleId#"
> Which means that anybody can pass the sql that they like to PostgreSQL
> by using ";" to separate the queries. This is not good.
> I could off course verify the input and reject it if it wasn't a number,
> but I have almost 2000 different queries with all sorts of input (yes,
> it's a big app.).
> Can't I somehow disable multiple queries pr. SQL string so that ;
> doesn't work?
No, and if you could it'd still be a pretty incomplete solution.
Consider for example
select * from article where articleid = 123
UNION select-everything-from-some-other-table.
Not to mention possible risks from invoking functions, changing SELECT
to SELECT FOR UPDATE to cause denial-of-service problems, etc.
I'd suggest validating your input if you are worried about attacks
of this nature. It's the only real defense.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2000-08-02 20:36:20 | Re: [HACKERS] random() function produces wrong range |
| Previous Message | JavierG | 2000-08-02 20:20:29 | postgresql and java2 |