| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "Geoff Caplan" <geoff(at)variosoft(dot)com> |
| Cc: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-26 10:03:19 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE4569AD@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> MH> If you use the parametrised formats, e.g.
> MH> "SELECT * FROM foo WHERE bar=(at)bar"
> MH> or just "sp_foo" in the case of the stored procedure (the driver
> MH> will pick up parameter names automatically)
>
> Are you saying that "@bar" is part of the Postgres query
> syntax? If it is, I can't find it in the 7.4 docs. What do
> you mean by "the parameterised formats"? I would appreciate a
> clarification and the URL of the relevant documentation.
Sorry, this is the ADO syntax used in ASP - I was referring to the
incorrect claims about MSSQL you had found. It definitly applies to
MSSQL on ASP, not 100% sure about pgsql on ASP.
Another common syntax is the "?" syntax, e.g. "SELECT * FROM foo EBRE
bar=?", that's used in for example DBI.
So it depends on what interface you are using to connect to the server.
If it's straight libpq, you should look at PQexecParams() or
PQexecPrepared(), see
http://www.postgresql.org/docs/7.4/static/libpq-exec.html.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Matthew D. Fuller | 2004-07-26 11:22:13 | Re: Sql injection attacks |
| Previous Message | Geoff Caplan | 2004-07-26 09:34:22 | Re: Sql injection attacks |