| From: | David Wilson <david(dot)t(dot)wilson(at)gmail(dot)com> |
|---|---|
| To: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> |
| Cc: | Stephen Cook <sclists(at)gmail(dot)com>, RebeccaJ <rebeccaj(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: text column constraint, newbie question |
| Date: | 2009-03-23 07:51:59 |
| Message-ID: | e7f9235d0903230051m38cabfbbk8852cf12f80085e6@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Mar 23, 2009 at 3:07 AM, Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> wrote:
> Are you saying pg_quer_params is MORE effective than pg_escape_string
> at deflecting SQL injection attacks?
pg_query_params() will protect non-strings. For instance, read a
number in from user input and do something of the form " and
foo=$my_number". Even if you escape the string, an attacker doesn't
need a ' to close a string, so he can manage injection. If it's " and
foo=$1" using pg_query_params(), however, that's not possible.
--
- David T. Wilson
david(dot)t(dot)wilson(at)gmail(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ivan Sergio Borgonovo | 2009-03-23 08:09:42 | Re: bash & postgres |
| Previous Message | Scott Marlowe | 2009-03-23 07:07:18 | Re: text column constraint, newbie question |