Re: (security) Rules of thumb for escaping user input?

From: Martijn van Oosterhout <kleptog(at)svana(dot)org>
To: Bill Gribble <grib(at)linuxdevel(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: (security) Rules of thumb for escaping user input?
Date: 2002-05-15 15:11:37
Message-ID: 20020516011137.B14367@svana.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Wed, May 15, 2002 at 09:56:45AM -0500, Bill Gribble wrote:
> So the only escaping I do in my app currently is to replace ' with '' in
> user-input strings. If I assume that the goal is to prevent any
> user-input strings from being evaluated as SQL statements (only to allow
> user input as constant values), what other escaping do I need to do?

Off the top of my head, you should probably be escaping the backslash (\)
also.

> Is there a SQL "hack prevention" FAQ out there somewhere?

Not that I know of. If you're using perl you can use the tainting mechanism.
Modify Pg.pm to complain about any tainted queries. Then only values that
you have cleared through a regex will work. Very secure, but can be a lot of
work.

Other languages have tainting also IIRC.

However, I find escaping just as you're building the query to be quite
effective.
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Canada, Mexico, and Australia form the Axis of Nations That
> Are Actually Quite Nice But Secretly Have Nasty Thoughts About America

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Andrew Sullivan 2002-05-15 15:24:47 Re: Is it better to use OS cache or max out memory usage of PostgreSQL?
Previous Message Martijn van Oosterhout 2002-05-15 15:06:12 Re: Spped of max