| From: | "Matthew D(dot) Fuller" <fullermd(at)over-yonder(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Kevin Murphy <murphy(at)genome(dot)chop(dot)edu>, PostgreSQL general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: SQL injection |
| Date: | 2005-11-02 01:01:41 |
| Message-ID: | 20051102010141.GG1367@over-yonder.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Nov 01, 2005 at 08:57:04AM -0500 I heard the voice of
Tom Lane, and lo! it spake thus:
>
> If you rely on applying an escaping function then it's pretty easy
> to forget it in one or two places, and it only takes one hole to be
> vulnerable :-(.
The trick is to make it a religious ritual. I escape things into _q
variables:
$name = $_REQUEST['name'];
$name_q = db_quote($name);
And have myself thoroughly trained to ONLY use _q variables in
building queries. Of course, once in a while, I forget to _create_
the _q version before using it, but then I get a nice loud error
message castigating me for it. I often (not consistently) create _q
variables even for known-good strings and such that I hardcode into
the program.
It could well be that using prepared statements is by various metrics
a "better" way to go about things. But I'm far too lazy to try and
reprogram my fingers ;-)
--
Matthew Fuller (MF4839) | fullermd(at)over-yonder(dot)net
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
On the Internet, nobody can hear you scream.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Erick Papadakis | 2005-11-02 01:59:12 | Cannot install -- "/lib/cpp" failed sanity check |
| Previous Message | Michael Fuhr | 2005-11-02 00:22:29 | Re: Linking |