Skip site navigation (1) Skip section navigation (2)

Re: Sql injection attacks

From: Pierre-Frédéric Caillaud <lists(at)boutiquenumerique(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Sql injection attacks
Date: 2004-07-28 11:19:06
Message-ID: opsbuhp4gscq72hf@musicbox (view raw, whole thread or download thread mbox)
Lists: pgsql-general
> update tablea set a=10-$inputstring where key=1;

	Add parenthesis:

update tablea set a=10-($inputstring) where key=1;

	Thus you get :
update tablea set a=10-(-1) where key=1;
	instead of :
update tablea set a=10--1 where key=1;

	You'd have a problem because -- is the Comment Delimiter thus
update tablea set a=10--1 where key=1;
	means :
update tablea set a=10;
	which does update all rows.

	I still think inputstring should be cast to int in YOUR code prior to be  
sent to SQL, because then you can give a good error message to the user  
instead of "SQL request failed".

In response to

pgsql-general by date

Next:From: Jim SeymourDate: 2004-07-28 11:23:43
Subject: Re: no value fetch
Previous:From: Pierre-Frédéric CaillaudDate: 2004-07-28 11:12:26
Subject: Re: altering a table to set serial function

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group