| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Bogdan Tomchuk" <tbp-dsi(at)poly(dot)polytechnique(dot)fr> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL Injection possible on custom functions |
| Date: | 2005-02-14 16:45:06 |
| Message-ID: | 29269.1108399506@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Bogdan Tomchuk" <tbp-dsi(at)poly(dot)polytechnique(dot)fr> writes:
> My question is: if we imagine that input of UpdateAccount has no =
> filtration or this filtration incorrect does exist any way to modify =
> other then authorized parameters of Accounts table or records of other =
> user? Is there any injection technique possible? Should I still do =
> something like quote_literal() systematically on each parameters and =
> reverse conversation each time? Or even replace UPDATE.. by EXECUTE =
No. The code as you wrote it is perfectly secure --- plpgsql variables
are placeholders, their values aren't injected literally into the SQL
command. If you went over to using EXECUTE then you *would* need
quote_literal to be safe, because then you're synthesizing the complete
SQL command as a string.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | mike | 2005-02-14 18:41:59 | DBI and placeholders question |
| Previous Message | Bruce Momjian | 2005-02-14 16:25:10 | Re: [GENERAL] WARNING: could not remove database directory |