Re: SQL safe input?

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: cbraden <cbraden(at)douglasknight(dot)com>
Cc: pgsql-novice(at)postgresql(dot)org
Subject: Re: SQL safe input?
Date: 2005-08-27 03:32:03
Message-ID: 20050827033203.GA12406@wolff.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-novice

Please keep replies copied to the list in order to give more people a chance
to help and to learn from the discussion.

On Fri, Aug 26, 2005 at 16:48:08 -0400,
cbraden <cbraden(at)douglasknight(dot)com> wrote:
> Bruno Wolff III wrote:
>
> >On Fri, Aug 26, 2005 at 15:53:14 -0400,
> > cbraden <cbraden(at)douglasknight(dot)com> wrote:
> >
> >
> >>Folks,
> >>
> >>I would like to know how to prevent SQL attacks on a postgreSQL server.
> >>
> >>I know in mySQL you can put any input going to the DB through a filter
> >>which encodes anything which would be malicious into mySQL safe data. I
> >>need something similar in postgreSQL. Specifically as a php
> >>implementation if it exists.
> >>
> >>
> >
> >IMO the best way to do this is to use bind parameters to pass user input
> >to queries. Then you don't need to escape anything. You might still check
> >for very long strings.
> >
> >
> >
> >
> Sir,
>
> Being a novice, I did not understand what you meant. Do you know a
> reference I can look at to see what you mean?

How you do this depends on how you pass SQL queries to the database.
For example you might wan to read the Perl DBI module documention or
the libpq documention in you are using that from C. Generally there is
a different library for each programming language.

In response to

Browse pgsql-novice by date

  From Date Subject
Next Message Bruno Wolff III 2005-08-27 03:33:48 Re: SQL safe input?
Previous Message me 2005-08-27 01:34:30 LOG entries: "could not receive data from client" ?