| From: | Michael Fuhr <mike(at)fuhr(dot)org> |
|---|---|
| To: | Volkan YAZICI <yazicivo(at)ttnet(dot)net(dot)tr> |
| Cc: | pgsql-interfaces(at)postgresql(dot)org |
| Subject: | Re: escaping literals (in libpq) |
| Date: | 2005-04-03 16:33:39 |
| Message-ID: | 20050403163339.GA86021@winnie.fuhr.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-interfaces |
On Sun, Apr 03, 2005 at 03:27:47AM +0300, Volkan YAZICI wrote:
>
> By using PQescapeString() and PQescapeBytea() we can protect SQL
> commands from SQL-Injection. I just wonder if it's necessary to
> use these escape functions when using PQexecParams() or
> PQsendQueryParams(); or these execParam functions don't need
> escaping literals?
Here's an excerpt from the PQexecParams() documentation:
The primary advantage of PQexecParams over PQexec is that
parameter values may be separated from the command string, thus
avoiding the need for tedious and error-prone quoting and
escaping.
Run some tests: create queries that do simple (but harmless) SQL
injection, submit them unescaped with PQexec() to verify that the
injection works, then escape them and submit them with PQexec() to
verify that escaping prevents the injection, then submit them
unescaped with PQexecParams() and observe what happens, then escape
them and submit them with PQexecParams() and observe what happens.
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Volkan YAZICI | 2005-04-03 17:11:50 | Re: escaping literals (in libpq) |
| Previous Message | John DeSoi | 2005-04-03 13:40:10 | Re: MacSQL connectivity |