Re: to_tsquery, plainto_... avoiding bad input, injections. Is there a builtin function for this ? Escaping?

From: Christopher Swingley <cswingle(at)gmail(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: to_tsquery, plainto_... avoiding bad input, injections. Is there a builtin function for this ? Escaping?
Date: 2009-01-08 16:20:22
Message-ID: 20090108162022.GA6339@abrinc.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Greetings!

> Wed, Jan 7, 2009 at 8:07 PM, Mohamed <mohamed5432154321(at)gmail(dot)com>
> > Hi, I am wondering whether or not there exists any built in
> > function for making sure a query/textinput is not harmful or one
> > that escapes them. If not, what kind of things should I watch out
> > for ?
>
> * Reg Me Please <regmeplease(at)gmail(dot)com> [2009-Jan-08 00:20 AKST]:
> Maybe I'm missing the point, but have read about quote_ident() and
> quote_literal() at chapter 9.4 "String Functions and Operators"?

quote_literal() does seem like a good choice for getting the quoting
correct. As far as protecting yourself from SQL injection attacks, you
may want to look at the options available in the programming language
you are using to get user input. In Python, for example, you can run
queries as follows:

parameters = (12, "bar", True)
query = "INSERT INTO foo VALUES (%d, %s, %s);"
cursor.execute(query, parameters)
cursor.commit()

Python fills the '%X' fields with the parameters after verifying they
are safe. Probably best to test how much protection this offers.

I believe the risk isn't so much a question of quoting or special
characters, but carefully crafted input variables. For example, what if
the second parameter was:

"'bar', True); DELETE FROM foo; INSERT INTO foo VALUES (1, 'bar',"

Cheers,

Chris
--
Christopher S. Swingley
http://swingleydev.com/
<cswingle(at)gmail(dot)com>

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Harald Armin Massa 2009-01-08 16:20:58 Re: version number between pgdump and server
Previous Message Laurent ROCHE 2009-01-08 16:10:11 version number between pgdump and server