| From: | Andy Colson <andy(at)squeakycode(dot)net> |
|---|---|
| To: | PostgreSQL <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: ISO guidelines/strategies to guard injection attacks |
| Date: | 2010-01-19 21:49:17 |
| Message-ID: | 4B5628DD.1070203@squeakycode.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 1/19/2010 3:39 PM, Andy Colson wrote:
> On 1/19/2010 3:23 PM, Kynn Jones wrote:
>> I have a Perl CGI script (using DBD::Pg) that interfaces with a
>> server-side Pg database. I'm looking for general
>> guidelines/tools/strategies that will help me guard against SQL
>> injection attacks.
>>
>> Any pointers/suggestions would be much appreciated.
>>
>> ~K
>>
>
> prepare your queries:
>
> my $q = $db->prepare('select something from table where key = $1');
> $q->execute(42);
>
> and..
> $db->do('update table set field = $1 where key = $2', undef, 'key', 42);
>
> (*guessed at the do(). I think there is an undef in there, or something*)
>
> -Andy
>
Also, add to that, in general, use Taint Mode. Perl wont trust data
until its been sanitized... and neither should you.
I have a little helper function:
sub untaint
{
$_[0] =~ /(\w+)/;
return $1;
};
Then later on:
my $xpin = untaint($web->param('pin'));
This makes sure the pin param only contains word characters (so no
dashes, slashes, quotes, or any other crap).
-Andy
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ben Chobot | 2010-01-19 22:17:28 | Re: changing log_min_duration_statement |
| Previous Message | Devrim GÜNDÜZ | 2010-01-19 21:44:50 | Re: changing log_min_duration_statement |