Re: checking SQL statement/subexpression validity

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Mike Nolan <nolan(at)gw(dot)tssi(dot)com>
Cc: lists(at)zara(dot)6(dot)isreserved(dot)com (David Garamond), pgsql-general(at)postgresql(dot)org
Subject: Re: checking SQL statement/subexpression validity
Date: 2005-02-09 05:11:15
Message-ID: 12964.1107925875@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Mike Nolan <nolan(at)gw(dot)tssi(dot)com> writes:
>> I need to check whether a SQL subexpression (to be used in WHERE
>> clause), e.g.:

> I've never tested it from Perl, but could you use 'explain select....'
> to see if it parses? It won't actually execute it if it does.

Consider input along the line of

"SELECT true; DELETE FROM critical_table WHERE true"

The EXPLAIN nullifies the first part and then the second part
destroys your table.

I think that if you allow random possibly-hostile input to be sent to
your SQL engine then you are going to get burnt :-(

The V3 extended-query protocol allows only one SQL command per message
--- so using that would prevent the more obvious possibilities for SQL
command injection. But I'd still not have a lot of faith in it. The
appropriately paranoid way to look at this is to allow through only the
stuff you are sure is OK, not to try to filter out the stuff you are
sure isn't OK.

regards, tom lane

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Joshua D. Drake 2005-02-09 05:14:29 Re: Backup restore does not work
Previous Message Art Fore 2005-02-09 04:51:29 Re: Database permissions