| From: | Sam Mason <sam(at)samason(dot)me(dot)uk> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-04-28 23:15:44 |
| Message-ID: | 20080428231544.GR6870@frubble.xen.chris-lamb.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Apr 28, 2008 at 08:55:34PM +0200, Thomas Mueller wrote:
> As you know, "SQL injection" is the main security problem of databases today.
>
> I think I found a solution: 'disabling literals'.
I personally think this is wrong, I often have schemas that mean I have
to do things like:
SELECT a.x, a.y, b.z
FROM a, b
WHERE a.a = b.a
AND a.f = 'lit'
AND b.g = 'lit'
AND b.h = $1;
So a big query, with lots of literals and only very few of them actually
come from an untrusted source. Also remember that any literal (i.e. not
just strings) can be quoted, think of dates in queries.
One option I like would be if the programming language (that you're
calling the database from) recorded "tainting" of variables, preferably
if this is done statically in the type system but languages like PHP
seem to prefer to do this sort of thing at run time.
Microsoft's approach of integrating SQL into the language would work as
well, the programmer can't get the quoting wrong then. But I prefer the
approach taken by HaskellDB as it doesn't require new syntax/semantics
to be designed/integrated. HaskellDB is a bit heavy though.
Sam
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-04-28 23:34:23 | Re: pgsql: Add generate_subscripts, a series-generation function which |
| Previous Message | Brendan Jurd | 2008-04-28 23:03:33 | Re: Protection from SQL injection |