From: | Geoff Caplan <geoff(at)variosoft(dot)com> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Sql injection attacks |
Date: | 2004-07-26 00:11:47 |
Message-ID: | 141313517704.20040726011147@variosoft.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hi folks,
Peter Eisentraut wrote:
PE> If you use prepared statements (the details of which vary by >>
PE> programming language), you should be quite safe.
Peter - thanks for the suggestion. You are right: a poorly designed
function might simply concatenate the injected code - I hadn't really
thought it through. The key seems to be to treat the unsafe string as
a value so it can't leak out into the statement, and a parameterised
prepared statement would do this effectively, as you suggest. Very
elegant...
Bill Moran wrote:
BM> To protect yourself from SQL injections, just pass all your data through
BM> PQescapeString()
I'm no expert, but the papers I have been reading suggest that the
usual hygene advice such as don't display DB error messages and escape
unsafe strings doesn't cover all types of attack. See, for example,
this:
http://www.net-security.org/article.php?id=571
But so far as I can see, Peter's suggestion should provide a workable
robust solution. So thanks again!
------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154
From | Date | Subject | |
---|---|---|---|
Next Message | Stephan Szabo | 2004-07-26 00:18:53 | Re: locale-specific sort algorithms undocumented? |
Previous Message | Gaetano Mendola | 2004-07-25 23:41:05 | Re: constraitnt on case sensetive and case insensetive columns |