| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | Dennis Gearon <gearond(at)cvc(dot)net> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: escaping and sql injection |
| Date: | 2003-02-22 00:07:16 |
| Message-ID: | 20030222000716.GB31264@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Feb 21, 2003 at 03:09:01PM -0800, Dennis Gearon wrote:
> Is there any links for escaping characters and sql injection prevention in postgres?
>
> I have read where the ' character is not really the preferred escaping character, but it does seem
> to be the one I've seen for postgres.
>
> Can multiple statements be issued in postgres, like:
>
> 'select count(*) from MyTable; drop MyTable;'
You can solve the SQL injection problem by escaping all single quotes (')
and blackslashes (\) with a backslash.
I'm not sure about the multiple statement thing. It used to work but I'm not
sure if it still does.
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Support bacteria! They're the only culture some people have.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Sullivan | 2003-02-22 00:31:33 | Re: What filesystem? |
| Previous Message | Steve Crawford | 2003-02-21 23:15:09 | What filesystem? |