From: | "Adam Lang" <aalang(at)rutgersinsurance(dot)com> |
---|---|
To: | <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Limit on number of queries from CGI or PHP (security) |
Date: | 2000-10-17 15:07:09 |
Message-ID: | 008501c0384b$eb96b8c0$330a0a0a@6014cwpza006 |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
For the most part, everyone's answers are accurate. The interface and
database you design needs to be tighter to prevent that.
One topic that no one mentioned is database security. For the user that the
php script runs under, start by restricting it acces to what it doesn't
need. If they are only allowed querying information, don't let them update,
delete, etc.
Second, check the query string for suspicious characters. ie more semi
colons than needed.
When letting people enter actual SQL queries, you have to treat it like they
are sitting at the server's console.
The best option is to have a form that they fill in and the script
constructs the query on its own... (as well as the user security enabled).
Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
----- Original Message -----
From: "Rikul Patel" <rikul7(at)yahoo(dot)com>
To: <pgsql-general(at)postgresql(dot)org>
Sent: Tuesday, October 17, 2000 4:00 AM
Subject: [GENERAL] Limit on number of queries from CGI or PHP (security)
> Hi,
>
> Is there any way I can restrict number of queries to
> only one? Here's the problem:
>
> If PHP script gets some data as input from user, and
> PHP scripts tries to put this data into Postgresql,
> what's keeping the user to modify the data in way to
> have postgresql execute two queries.
>
> So instead of some PHP script generating query like
> "select * from table where text='some text' or id=1",
> some malicious user could make it generate "select *
> from table where text='some text' or id=1;delete from
> table"
>
> Thanks,
> Rikul
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Messenger - Talk while you surf! It's FREE.
> http://im.yahoo.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Adam Lang | 2000-10-17 15:09:51 | Re: pgsql and php 3.0.16 question |
Previous Message | Travis Bauer | 2000-10-17 14:55:23 | Re: web programming |