From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
---|---|
To: | Glen K <glenk1973(at)hotmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Feature request: Settings to disable comments and multiple statements in a connection |
Date: | 2025-06-07 21:56:45 |
Message-ID: | bbdb4e11-9743-4862-9a3c-f7cc7f5022d3@aklaver.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 6/7/25 14:18, Glen K wrote:
>> I don't believe that this would move the needle on SQL-injection
> safety by enough to be worth doing. An injection attack is normally
> trying to break out of a quoted string, not a comment.
>
> Yes, SQL injections frequently involve escaping quoted strings, but if
> you do a search for SQL injection examples, you will find that most of
> them (I would say 90% or more) also use comments to remove the remainder
> of the SQL statement from consideration. Here is one example where an
> attacker specifies "admin'--;" as the username:
>
> SELECT * FROM members WHERE username = 'admin'--;' AND password =
> 'password';
>
> The comment in this example removes the password from inclusion in the
> statement, allowing the attacker to login as admin without a password.
Really?
select username, first_name, last_name from auth_user where username =
'aklaver';
username | first_name | last_name
----------+------------+-----------
aklaver | Adrian | Klaver
select username, first_name, last_name from auth_user where username =
'aklaver--;' and password = 'password';
username | first_name | last_name
----------+------------+-----------
(0 rows)
What authentication system are you using that does not actually verify
the password and allows entry for a zero return result?
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
From | Date | Subject | |
---|---|---|---|
Next Message | Adrian Klaver | 2025-06-07 22:06:27 | Re: Feature request: Settings to disable comments and multiple statements in a connection |
Previous Message | Glen K | 2025-06-07 21:18:01 | Re: Feature request: Settings to disable comments and multiple statements in a connection |