| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | Bill Gribble <grib(at)linuxdevel(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: (security) Rules of thumb for escaping user input? |
| Date: | 2002-05-15 15:11:37 |
| Message-ID: | 20020516011137.B14367@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, May 15, 2002 at 09:56:45AM -0500, Bill Gribble wrote:
> So the only escaping I do in my app currently is to replace ' with '' in
> user-input strings. If I assume that the goal is to prevent any
> user-input strings from being evaluated as SQL statements (only to allow
> user input as constant values), what other escaping do I need to do?
Off the top of my head, you should probably be escaping the backslash (\)
also.
> Is there a SQL "hack prevention" FAQ out there somewhere?
Not that I know of. If you're using perl you can use the tainting mechanism.
Modify Pg.pm to complain about any tainted queries. Then only values that
you have cleared through a regex will work. Very secure, but can be a lot of
work.
Other languages have tainting also IIRC.
However, I find escaping just as you're building the query to be quite
effective.
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Canada, Mexico, and Australia form the Axis of Nations That
> Are Actually Quite Nice But Secretly Have Nasty Thoughts About America
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Sullivan | 2002-05-15 15:24:47 | Re: Is it better to use OS cache or max out memory usage of PostgreSQL? |
| Previous Message | Martijn van Oosterhout | 2002-05-15 15:06:12 | Re: Spped of max |