| From: | "Richard Broersma" <richard(dot)broersma(at)gmail(dot)com> |
|---|---|
| To: | "William Temperley" <willtemperley(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Secure "where in(a,b,c)" clause. |
| Date: | 2008-04-03 17:24:05 |
| Message-ID: | 396486430804031024l688f0133x943e137dcce6fb10@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, Apr 3, 2008 at 9:50 AM, William Temperley
<willtemperley(at)gmail(dot)com> wrote:
> Hi All
>
> I hope this isn't a FAQ, but does anyone have any suggestions as to
> how to make a query that selects using:
> "where in(<comma delimited list>)"
> secure from an sql injection point of view?
I have an idea, but I can't comment if it is a good idea since I
haven't tried it.
Maybe you can create a temp table for each user, insert the values you
want into the table, and lastly perform a join on your foo table with
the user's temp table. This hopefully would leave anything open for
injection.
When you are done just drop the temp table.
--
Regards,
Richard Broersma Jr.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | D'Arcy J.M. Cain | 2008-04-03 17:27:03 | Re: modules |
| Previous Message | Adam Rich | 2008-04-03 17:21:12 | Re: Secure "where in(a,b,c)" clause. |