Re: Sql injection attacks

From: Pierre-Frédéric Caillaud <lists(at)boutiquenumerique(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-28 11:19:06
Message-ID: opsbuhp4gscq72hf@musicbox
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general


> update tablea set a=10-$inputstring where key=1;

Add parenthesis:

update tablea set a=10-($inputstring) where key=1;

Thus you get :
update tablea set a=10-(-1) where key=1;
instead of :
update tablea set a=10--1 where key=1;

You'd have a problem because -- is the Comment Delimiter thus
update tablea set a=10--1 where key=1;
means :
update tablea set a=10;
which does update all rows.

I still think inputstring should be cast to int in YOUR code prior to be
sent to SQL, because then you can give a good error message to the user
instead of "SQL request failed".

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Jim Seymour 2004-07-28 11:23:43 Re: no value fetch
Previous Message Pierre-Frédéric Caillaud 2004-07-28 11:12:26 Re: altering a table to set serial function