| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Peter Kovacs" <peter(dot)kovacs(at)sysdata(dot)siemens(dot)hu> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org, "Toby" <toby(at)paperjet(dot)com> |
| Subject: | Re: [GENERAL] Prepared statement performance... |
| Date: | 2002-10-14 14:11:05 |
| Message-ID: | 12050.1034604665@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-jdbc |
"Peter Kovacs" <peter(dot)kovacs(at)sysdata(dot)siemens(dot)hu> writes:
> Thank you for your explanation. But I still do not see how
>> INSERT INTO Users (username) VALUES ('joe'; DROP TABLE users');
> will be evaluated so that it drops table 'users'. Actually, this should
> evaluate to a syntax error, shouldn't it?
The given example was sloppy, but that doesn't mean that there is no
security risk here. Assuming that the webscript will execute
INSERT INTO Users (username) VALUES ('$1');
(where $1 means the raw string supplied by the form user), consider
input like
'); DROP TABLE users --
This will result in the backend seeing
INSERT INTO Users (username) VALUES (''); DROP TABLE users --');
which is 100% syntactically okay.
So you really need to double or escape quotes and backslashes in
user-supplied strings, or you have a security problem. Nic is correct
to note that this is not specific to Javascript; it is a problem for any
database frontend no matter what it's written in.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Darko Prenosil | 2002-10-14 14:22:54 | Re: Nuance speech recognition server and Postgres |
| Previous Message | Diogo Biazus | 2002-10-14 13:52:51 | PostgreSQL Benchmarks |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2002-10-14 15:04:07 | Re: Changing Column Order (Was Re: MySQL vs PostgreSQL.) |
| Previous Message | Alessio Bragadini | 2002-10-14 13:39:37 | Re: Changing Column Order (Was Re: MySQL vs PostgreSQL.) |