| From: | Adam Rich <adam(dot)r(at)sbcglobal(dot)net> |
|---|---|
| To: | William Temperley <willtemperley(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Secure "where in(a,b,c)" clause. |
| Date: | 2008-04-03 17:21:12 |
| Message-ID: | 239101.92496.qm@web81402.mail.mud.yahoo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> I hope this isn't a FAQ, but does anyone have any
> suggestions as to
> how to make a query that selects using:
> "where in(<comma delimited list>)"
> secure from an sql injection point of view?
>
> As the length of the comma delimited list is highly
> variable I don't
> think I can use a prepared query to increase
> security.
>
Prepared query, no.. but you can still use parameter
binding. Determine how many parameters you need, and
create a query like this:
where in ($1, $2, $3, $4, $5)
and then bind each of those parameters. This works
well enough for small numbesr of parameters. Somebody
else will have to answer if there's a better way for
larger quantities.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Richard Broersma | 2008-04-03 17:24:05 | Re: Secure "where in(a,b,c)" clause. |
| Previous Message | Rodrigo E. De León Plicet | 2008-04-03 17:20:46 | Re: Secure "where in(a,b,c)" clause. |