Re: Limit on number of queries from CGI or PHP (security)

From: "Adam Lang" <aalang(at)rutgersinsurance(dot)com>
To: <pgsql-general(at)postgresql(dot)org>
Subject: Re: Limit on number of queries from CGI or PHP (security)
Date: 2000-10-17 15:07:09
Message-ID: 008501c0384b$eb96b8c0$330a0a0a@6014cwpza006
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

For the most part, everyone's answers are accurate. The interface and
database you design needs to be tighter to prevent that.

One topic that no one mentioned is database security. For the user that the
php script runs under, start by restricting it acces to what it doesn't
need. If they are only allowed querying information, don't let them update,
delete, etc.

Second, check the query string for suspicious characters. ie more semi
colons than needed.

When letting people enter actual SQL queries, you have to treat it like they
are sitting at the server's console.

The best option is to have a form that they fill in and the script
constructs the query on its own... (as well as the user security enabled).

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
----- Original Message -----
From: "Rikul Patel" <rikul7(at)yahoo(dot)com>
To: <pgsql-general(at)postgresql(dot)org>
Sent: Tuesday, October 17, 2000 4:00 AM
Subject: [GENERAL] Limit on number of queries from CGI or PHP (security)

> Hi,
>
> Is there any way I can restrict number of queries to
> only one? Here's the problem:
>
> If PHP script gets some data as input from user, and
> PHP scripts tries to put this data into Postgresql,
> what's keeping the user to modify the data in way to
> have postgresql execute two queries.
>
> So instead of some PHP script generating query like
> "select * from table where text='some text' or id=1",
> some malicious user could make it generate "select *
> from table where text='some text' or id=1;delete from
> table"
>
> Thanks,
> Rikul
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Messenger - Talk while you surf! It's FREE.
> http://im.yahoo.com/

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Adam Lang 2000-10-17 15:09:51 Re: pgsql and php 3.0.16 question
Previous Message Travis Bauer 2000-10-17 14:55:23 Re: web programming