| From: | Barry Lind <barry(at)xythos(dot)com> |
|---|---|
| To: | list(at)meinsenf(dot)at |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: secure sql-statments |
| Date: | 2001-11-14 20:06:53 |
| Message-ID: | 3BF2CEDD.7070803@xythos.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Michi,
You should use PreparedStatements and you won't need to worry about
doing anything, as the driver will take care of all the work for you.
thanks,
--Barry
list(at)meinsenf(dot)at wrote:
>
> hi,
> I want to make my web-app secure against evil sql-statments!
>
> my sql-strings look like:
>
> updateString = "update table_1 set col_1 = '" + postParam_1 + "'";
> selectString = "select col_1 from table_1 where col_1 like '" + postParam + "'";
> generalSelectString = postParam;
>
> what characters do I have to quote, so that the client can't submit evil sql-statments?
>
> ok: 2 characters i must quote: "'" -> "\'" and "\" -> "\\"
> what characters do I need to quote else???
> perhaps ";" -> "\;"
>
> thanks
> michi
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Cramer | 2001-11-14 20:30:48 | Patch to fix getIndex for forte's transparent persistence |
| Previous Message | Dave Cramer | 2001-11-14 20:01:07 | Patch to fix getIndex for forte's transparent persistence |