| From: | Geoff Caplan <geoff(at)variosoft(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Correct escaping of untrusted data |
| Date: | 2004-07-31 09:09:07 |
| Message-ID: | 9898503310.20040731100907@variosoft.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi folks,
The thread on injection attacks was very instructive, but seemed to
run out of steam at an interesting point. Now you guys have kindly
educated me about the real nature of the issues, can I ask again
what effective escaping really means?
Are the standard escaping functions found in the PHP, Tcl etc APIs to
Postgres bombproof? Are there any encodings that might slip through
and be cast to malicious strings inside Postgres? What about functions
like convert(): could they be used to slip something through the
escaping function?
I don't really have enough knowledge in this area to be confident in
the results of my own experiments. Any advice from the more
technically savvy would be much appreciated.
------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Janning Vygen | 2004-07-31 13:48:06 | How to use as Functional Index to be used as Primary KEY |
| Previous Message | Christopher Browne | 2004-07-31 01:09:33 | Re: pg_hba.conf changes without restarting postmaster |