| From: | Alex Turner <armtuk(at)gmail(dot)com> |
|---|---|
| To: | "SCassidy(at)overlandstorage(dot)com" <SCassidy(at)overlandstorage(dot)com> |
| Cc: | "surabhi(dot)ahuja" <surabhi(dot)ahuja(at)iiitb(dot)ac(dot)in>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: a stored procedure ..with integer as the parameter |
| Date: | 2005-10-24 18:44:50 |
| Message-ID: | 33c6269f0510241144s680be862pfdc0c59dcba06eee@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
As sort of a side discussion - I have postulated that quoting all incomming
numbers as string would be an effective defense against SQL Injection style
attacks, as magic quotes would destory any end-quote type syntax:
in_value=1
select * from table where my_id='$in_value';
as an example for PHP - Postgres will silenty perform an atoi on the string
to make it a number, but it would prevent:
in_value=1; delete * from user;
select * from table where my_id=$in_value
Am I just smoking crack here, or does this approach have some merit?
Alex
On 10/21/05, SCassidy(at)overlandstorage(dot)com <SCassidy(at)overlandstorage(dot)com>
wrote:
>
> First, you should not quote an integer value going into an integer column
> -
> bad habit to get into.
>
> Second, empty string is not an integer.
>
> Susan
>
>
>
> "surabhi.ahuja"
> <surabhi(dot)ahuja(at)iiitb(dot)ac To: <pgsql-general(at)postgresql(dot)org>
> .in> cc:
> Sent by: Subject: [GENERAL] a stored procedure ..with integer as the
> parameter
>
> |-------------------|
> pgsql-general-owner(at)pos | [ ] Expand Groups |
> tgresql.org <http://tgresql.org> |-------------------|
>
>
> 10/20/2005 11:03
> PM
>
>
>
>
>
>
> i have a stored procedure
>
> insert_table(integer)
> which does "insert into table (x) value ($1)";
>
> now in my client i call the stored procedure as
>
> select insert_table("3");
>
> it works fine and inserts 3 into the table
>
> but suppose i give
>
> select insert_table("");
>
> it gives an error ...saying " invalid input syntax for integer: "
>
> please suggest a solution to this problem
>
> thanks,
> reagrds
> surabhi
>
>
>
>
>
> ----------------------------------------------------------------------------------------------
> See our award-winning line of tape and disk-based
> backup & recovery solutions at http://www.overlandstorage.com
>
> ----------------------------------------------------------------------------------------------
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: Don't 'kill -9' the postmaster
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Claire McLister | 2005-10-24 18:47:42 | Map of Postgresql Users (OT) |
| Previous Message | Martijn van Oosterhout | 2005-10-24 18:35:18 | Re: pg_dump, MVCC and consistency |