From: | "Matthew D(dot) Fuller" <fullermd(at)over-yonder(dot)net> |
---|---|
To: | Ben <bench(at)silentmedia(dot)com> |
Cc: | Yonatan Ben-Nes <da(at)canaan(dot)co(dot)il>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: SQL injection |
Date: | 2005-11-01 10:45:13 |
Message-ID: | 20051101104513.GF1367@over-yonder.net |
Views: | Whole Thread | Raw Message | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Mon, Oct 31, 2005 at 10:12:45AM -0800 I heard the voice of
Ben, and lo! it spake thus:
> Maybe I'm not very creative, but it sure seems to me that if you
> escape your strings, make sure your numbers are numbers, and your
> booleans are actually booleans, then you're protected....
Once nice touch is that booleans and numbers will be accepted by Pg if
they're escaped and quoted like strings. So, in PHP, I always run
EVERYTHING through a wrapper db_quote() function that returns
something like ("'" . pg_escape_string(foo) . "'") (or its equivalent
in MySQL, etc) and just call it fixed. Of course, I do type checks
for user feedback and such as well, but in case something slips
through, it's all escaped.
--
Matthew Fuller (MF4839) | fullermd(at)over-yonder(dot)net
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
On the Internet, nobody can hear you scream.
From | Date | Subject | |
---|---|---|---|
Next Message | Jan Wieck | 2005-11-01 13:16:17 | Re: Oracle 10g Express - any danger for Postgres? |
Previous Message | Michael Fuhr | 2005-11-01 08:24:22 | Re: after insert or update or delete of col2 |