| From: | Greg Stark <gsstark(at)mit(dot)edu> |
|---|---|
| To: | "Nigel J(dot) Andrews" <nandrews(at)investsystems(dot)co(dot)uk> |
| Cc: | pgsql-general(at)postgresql(dot)org, pgsql-interfaces(at)postgresql(dot)org |
| Subject: | Re: More PHP DB abstraction layer stuff |
| Date: | 2003-01-24 17:22:42 |
| Message-ID: | 87k7gupin1.fsf@stark.dyndns.tv |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-interfaces |
"Nigel J. Andrews" <nandrews(at)investsystems(dot)co(dot)uk> writes:
> One thing that always gets me is why people think quoting the ' in a string is
> a security feature when they don't allow for someone giving \' in the
> string. On the other hand I'm never sure how to protect against such 'odd
> number of escapes' attacks. Anyone got any clues? Does PQescape do it?
That just means you have to escape \ as well as '.
But the best way to deal with this is to use placeholders and prepared queries
and provide the data out of band. This completely sidesteps the issue and
guarantees you can't get it wrong by mistake ever. Mixing user-provided data
with program code is a recipe for security holes.
--
greg
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mikhail Terekhov | 2003-01-24 17:23:31 | Re: DBD-Pg |
| Previous Message | frank_lupo | 2003-01-24 17:13:34 | Re: pid in pg_locks not present in procpid pg_stat_activity |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dennis Gearon | 2003-01-24 19:13:53 | Re: More PHP DB abstraction layer stuff |
| Previous Message | Justin Clift | 2003-01-24 16:14:17 | Re: More PHP DB abstraction layer stuff |