| From: | Bill Moran <wmoran(at)potentialtech(dot)com> |
|---|---|
| To: | Geoff Caplan <geoff(at)variosoft(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-26 01:11:33 |
| Message-ID: | 20040725211133.0e798140.wmoran@potentialtech.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Geoff Caplan <geoff(at)variosoft(dot)com> wrote:
> BM> To protect yourself from SQL injections, just pass all your data through
> BM> PQescapeString()
>
> I'm no expert, but the papers I have been reading suggest that the
> usual hygene advice such as don't display DB error messages and escape
> unsafe strings doesn't cover all types of attack. See, for example,
> this:
>
> http://www.net-security.org/article.php?id=571
>
> But so far as I can see, Peter's suggestion should provide a workable
> robust solution. So thanks again!
Hope that works for you. I still think you're ignoring basic data validation.
Simply put:
1) If the untrusted value is a string, using a proper escape sequence should
make it safe.
2) If the untrusted value is not a string, then it should be tested for
proper value (i.e. if it should be a number, it should be ensured that
it _is_ a number, and nothing else) invalid values should trigger an
error.
I don't see how storing the SQL in some different location is the correct
way to fix anything? Besides, the suggestions made in that paper only work
with ASP and JDBC ... how do you accomplish the same thing in PHP, for
example?
Just my opinion. Take it or leave it as you see fit.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim Seymour | 2004-07-26 02:40:12 | Re: Sql injection attacks |
| Previous Message | Tom Lane | 2004-07-26 00:27:35 | Re: locale-specific sort algorithms undocumented? |