| From: | Gregory Stark <stark(at)enterprisedb(dot)com> |
|---|---|
| To: | "pepone(dot)onrez" <pepone(dot)onrez(at)gmail(dot)com> |
| Cc: | "pgsql-general" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Best practices for protect applications agains Sql injection. |
| Date: | 2008-01-23 21:34:31 |
| Message-ID: | 87lk6g1b14.fsf@oxford.xeocode.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"pepone.onrez" <pepone(dot)onrez(at)gmail(dot)com> writes:
> Hi all
>
> I interesting in the protect my applications that use postgresql as is
> database backend from Sql Injections attacks, can any recommend me best
> pratices or references to protected postgres from this kind of malicious
> users.
I strongly urge people to adopt a policy of using prepared queries except when
absolutely necessary. If all user-provided data is passed to the database as
parameters to a prepared query then you should never need to worry about SQL
injection.
It's possible to always quote your parameters before inserting them into the
query but it's much more error-prone. It's also much harder to look at a piece
of code and be sure it's correct. If you religiously use prepared queries then
any variables interpolated directly into the query stand out like sore thumbs.
--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Ask me about EnterpriseDB's 24x7 Postgres support!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2008-01-23 21:45:13 | Re: pg_xlog and standby |
| Previous Message | Tommy Gildseth | 2008-01-23 20:55:39 | Re: ascii to utf-8 |