Re: Protection from SQL injection

From: Andrew Sullivan <ajs(at)commandprompt(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-05-01 13:13:27
Message-ID: 20080501131327.GB6253@commandprompt.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Apr 30, 2008 at 05:33:38PM -0400, Tom Lane wrote:

> you're at risk of some clients being secure and some not. I thought
> what we were discussing was a server-side GUC parameter that would
> disallow more than one SQL statement per PQexec.

That was certainly what I was intending, yes.

The _principal_ trick with SQL injection is to fool the application
into somehow handing a ";" followed by an arbitrary SQL statement.
There are of course other things one can do, but most of them are
constrained to abuse of statements your application already performs.
This injection problem, on the other hand, allows an attacker to do
whatever they want.

Obviously, if the server simply throws an error whenever one tries to
do this, the attack will be foiled. It sounded to me like a patch
that implemented this was already rejected.

I agree that it's a bit filthy, and I'd way prefer that people build
their applications such that these vectors aren't open in the first
place. But given the prevalence of quick and dirty development with
code one hasn't always completely vetted, this might be a nice feature
in some environments. As long as it's possible to turn it off (we'd
probably need to make it require a server restart to make it really
effective), I think it could be useful.

A

--
Andrew Sullivan
ajs(at)commandprompt(dot)com
+1 503 667 4564 x104
http://www.commandprompt.com/

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Chernow 2008-05-01 13:53:41 Odd timezone backend output
Previous Message Gregory Stark 2008-05-01 10:52:20 Re: [0/4] Proposal of SE-PostgreSQL patches