| From: | DarkSamurai <julio(at)invlaid(dot)linux(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Escaping metacharacters |
| Date: | 2004-07-15 22:02:32 |
| Message-ID: | Y9DJc.619$ZD81.585@news04.bloor.is.net.cable.rogers.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
To prevent SQL injections, I try to neutralize SQL metacharacters.
ex:
Code:
> function SQLString($s) {
> $s = str_replace("'", "\\s", $s)'
> $s = str_replace("\\", "\\\\", $s);
> return "'" . $s . "'";
And suppose I use this :
> $cat = $GET["category"];
> $query = " SELECT Id, Title, Abstract FROM News " . "Where Category=" . $cat;
If a malicious user tries to input
1' UNION SELECT 1, Usr, Pass FROM Usr
it would just pass as plain text like 1 \' UNION SELECT 1, Usr, Pass
FROM Usr
[edit]
And if he tried 1\' UNION (...) it would pass 1\\\' UNION (...) to the
database server.
[/edit]
Is that safe from SQL injection?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Devrim GUNDUZ | 2004-07-15 22:18:23 | Re: Point in Time Recovery |
| Previous Message | Peter Eisentraut | 2004-07-15 21:48:34 | Re: Is "trust" really a good default? |