Re: Protection from SQL injection

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com>
Cc: "Thomas Kellerer" <spam_eater(at)gmx(dot)net>, pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-27 03:42:14
Message-ID: 13670.1209267734@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

"Scott Marlowe" <scott(dot)marlowe(at)gmail(dot)com> writes:
> Wouldn't it be much simpler to have a version of the libpq client lib
> that only understands prepared queries?

You could do that, but there's still no way for it to know exactly how
the submitted query was constructed. This would block off the types of
injections that want to add whole SQL commands, but not ones that just
subvert the current query (eg adding OR TRUE to see data you shouldn't).

This is really a client problem and only client-side solutions will
provide meaningful traction for it. In perl, for instance, the "taint"
mechanism is a good way to notice whether any insecure strings are
getting into database queries.

regards, tom lane

In response to

Responses

Browse pgsql-sql by date

  From Date Subject
Next Message Scott Marlowe 2008-04-27 03:50:10 Re: Protection from SQL injection
Previous Message Scott Marlowe 2008-04-27 00:21:48 Re: Protection from SQL injection