Skip site navigation (1) Skip section navigation (2)

Re: Sql injection attacks

From: Geoff Caplan <geoff(at)variosoft(dot)com>
To: Doug McNaught <doug(at)mcnaught(dot)org>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-26 14:16:28
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-general

DM> Geoff Caplan <geoff(at)variosoft(dot)com> writes:

>> But in web work, you are often using GET/POST data directly in your
>> SQL clauses, so the untrusted data is part of the query syntax and not
>> just a value.

DM> Can you give an example of this that isn't also an example of
DM> obviously bad application design?

I'm no expert to put it mildly, but if you Google for "SQL Injection
Attack" you'll find a lot of papers by security agencies and
consultancies. You could start with these:

They are SQL Server oriented, but many of the issues would apply to

Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154 

In response to


pgsql-general by date

Next:From: Doug McNaughtDate: 2004-07-26 14:30:07
Subject: Re: Sql injection attacks
Previous:From: Jerry LeVanDate: 2004-07-26 13:52:28
Subject: isNumeric function?

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group