| From: | Gregory Stark <stark(at)enterprisedb(dot)com> |
|---|---|
| To: | "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com> |
| Cc: | <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-04-29 13:36:02 |
| Message-ID: | 87tzhk4wcd.fsf@oxford.xeocode.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com> writes:
> Also, programming languages such as Java don't support tainting. And it's
> again in the hand of the developer to use it, not use it, or use it in the
> wrong way. There should be a way for an admin to enforce using it, and using
> it correctly.
I bet you could do something clever with Java.
Something like making the Execute() stmt take a special kind of string object
which enforces that it can only be constructed as static final and takes a
String as a constructor argument . That would let you use literals in the
queries but bar you from including any user input at runtime. You could even
include some methods for assembling such StaticStrings in useful ways which
would let you build queries dynamically out of immutable pieces.
I think you're tilting at windmills if you want to bar *all* literals. That's
just too big of a usability hit and as you pointed out with the common use
case of dynamically choosing ORDER BY it doesn't even catch other common
cases. You need to step back and find a way to prevent user input from ending
up in the query regardless of whether it's in a literal or not.
--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Ask me about EnterpriseDB's PostGIS support!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Martijn van Oosterhout | 2008-04-29 13:42:56 | Re: table format specification |
| Previous Message | PFC | 2008-04-29 13:29:44 | Re: Protection from SQL injection |