| From: | Harald Fuchs <hf0722x(at)protecting(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-29 15:38:35 |
| Message-ID: | puk6wmlt6s.fsf@srv.protecting.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
In article <6(dot)0(dot)0(dot)22(dot)0(dot)20040729123957(dot)02ac5b70(at)pop(dot)atz(dot)nl>,
"B. van Ouwerkerk" <bvo(at)atz(dot)nl> writes:
> I've been reading this discussion and I asked myself whether you guys
> remove/replace unwanted chars from strings you get from the web or
> not..
The problem is not limited to strings you get from the web. Those
strings can come from _any_ source you don't control fully. And you
don't remove unwanted chars - a search for "O'Neill" is prefectly
reasonable and not more dangerous than a search for "Anderson" as long
as you escape the quotation mark properly.
> If you do remove them AFAIK it doesn't only prevent SQL injection but also XSS.
You can prevent XSS in the same manner: carefully escape everything
that looks dangerous. You just use different escaping rules because
you have other dangerous characters (especially '<').
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bill Moran | 2004-07-29 15:41:39 | Re: mirroring data on different drives? |
| Previous Message | David Parker | 2004-07-29 15:32:53 | Re: installation problem... |