| From: | Curt Sampson <cjs(at)cynic(dot)net> |
|---|---|
| To: | ngpg(at)grymmjack(dot)com |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [SECURITY] DoS attack on backend possible |
| Date: | 2002-08-20 11:29:11 |
| Message-ID: | Pine.NEB.4.44.0208202027380.697-100000@angelic.cynic.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
On Mon, 19 Aug 2002 ngpg(at)grymmjack(dot)com wrote:
> $input = "user'name";
> INSERT INTO db (name) VALUES ('$input');
>
> will fail because the ' in the input needs to be escaped with a
> backslash.
It will fail because you're doing this a very, very, very bad way.
Why rewrite this kind of stuff when the vendor has already made
correct code available?
PreparedStatement stmt = connection.prepareStatement(
"INSERT INTO db (name) VALUES (?)");
stmt.setString("user'name");
stmt.execute();
cjs
--
Curt Sampson <cjs(at)cynic(dot)net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Meskes | 2002-08-20 12:23:37 | pgsql-server/src/interfaces/ecpg Tag: ecpg_big ... |
| Previous Message | Bruce Momjian - CVS | 2002-08-20 05:28:24 | pgsql-server/ oc/src/sgml/plpgsql.sgml rc/pl/p ... |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Vince Vielhaber | 2002-08-20 11:36:29 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |
| Previous Message | John Gray | 2002-08-20 11:06:58 | Build failure in current CVS (src/backend/utils/mb/conversion_procs) |