From: | pedro2009(at)mandic(dot)com(dot)br |
---|---|
To: | Andre Lopes <lopes80andre(at)gmail(dot)com>,pgsql-general(at)postgresql(dot)org |
Subject: | Re: How can I test my web application against SQL Injections? |
Date: | 2010-02-06 12:52:14 |
Message-ID: | 1265460734224880133@webmail.mandic.com.br |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hi Andre,
What we do at my job to avoid SQL injections (PHP example):
for every web variable that comes from _POST or _GET:
if we expect a integer:
$x = intval($_GET['x']);
if we expect money:
$x = sprintf("%.2f",$_GET['x'])
if we expect string:
$x = pg_escape_string($_GET['x'])
if we expect boolean (checkbox for example)
$x = $_GET['x'] ? 1 : 0;
there are other cases, but that was enough to explain :-)
we try to assure that there are no injections by svn revision/approval procedures. we do no tests, just have the rule to reject a commit that used directly variables that came from _POST or _GET.
Hope that helps.
Pedro
----- ORIGINAL MESSAGE ----
FROM: Andre Lopes
TO: pgsql-general(at)postgresql(dot)org
DATE: Fri, 5 Feb 2010 21:20:26 +0000
SUBJECT: [GENERAL] How can I test my web application against SQL
Injections?
Hi,
I have build a Web Application using PostgreSQL as Database. I need
to test it against SQL Injections. What should I do? How to do an
accurate test against SQL Injections?
Best Regards,
From | Date | Subject | |
---|---|---|---|
Next Message | Cédric Villemain | 2010-02-06 13:44:32 | Re: Multiple buffer cache? |
Previous Message | Bret S. Lambert | 2010-02-06 09:50:14 | Re: Multiple buffer cache? |