Skip site navigation (1) Skip section navigation (2)

Re: Escaping strings for inclusion into SQL queries

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Escaping strings for inclusion into SQL queries
Date: 2001-09-04 17:30:54
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Patch removed at the request of the author.  Author will resubmit.

> It has come to our attention that many applications which use libpq
> are vulnerable to code insertion attacks in strings and identifiers
> passed to these applications.  We have collected some evidence which
> suggests that this is related to the fact that libpq does not provide
> a function to escape strings and identifiers properly.  (Both the
> Oracle and MySQL client libraries include such a function, and the
> vast majority of applications we examined are not vulnerable to code
> insertion attacks because they use this function.)
> We therefore suggest that a string escaping function is included in a
> future version of PostgreSQL and libpq.  A sample implementation is
> provided below, along with documentation.
> -- 
> Florian Weimer 	                  Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
> University of Stuttgart 
> RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

[ Attachment, skipping... ]

[ Attachment, skipping... ]

[ Attachment, skipping... ]

> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)

  Bruce Momjian                        |
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

In response to


pgsql-hackers by date

Next:From: Tom LaneDate: 2001-09-04 17:33:26
Subject: Re: Bytea/Base64 encoders for libpq - interested?
Previous:From: Dave BlasbyDate: 2001-09-04 17:16:20
Subject: Re: Bad behaviour when inserting unspecified variable length

Privacy Policy | About PostgreSQL
Copyright © 1996-2018 The PostgreSQL Global Development Group