From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Gregory Stark <stark(at)enterprisedb(dot)com> |
Cc: | Andrew Sullivan <ajs(at)commandprompt(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Protection from SQL injection |
Date: | 2008-05-01 15:26:21 |
Message-ID: | 14964.1209655581@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Gregory Stark <stark(at)enterprisedb(dot)com> writes:
> "Andrew Sullivan" <ajs(at)commandprompt(dot)com> writes:
>> The _principal_ trick with SQL injection is to fool the application
>> into somehow handing a ";" followed by an arbitrary SQL statement.
> They're the principal trick only because they're the most convenient. If you
> block them (as you can today by using PQExecParams() !!!) then people will
> switch to other things.
Sure, modifying the WHERE clause is still possible, but the attacker is
a lot more limited in what he can do if he can't tack on a whole new
command.
The important aspects of this that I see are:
1. Inexpensive to implement;
2. Unlikely to break most applications;
3. Closes off a fairly large class of injection attacks.
The cost/benefit ratio looks pretty good (unlike the idea that started
this thread...)
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Sullivan | 2008-05-01 15:47:04 | Re: Protection from SQL injection |
Previous Message | Andrew Dunstan | 2008-05-01 15:14:13 | Re: Odd timezone backend output |