Re: Preventing sql injection

From: Rick Roman <rick(at)cotse(dot)net>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: Preventing sql injection
Date: 2005-08-10 17:14:30
Message-ID: 42FA35F6.4060900@cotse.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Alvaro Herrera wrote:
<blockquote cite="mid20050810171108(dot)GF7871(at)alvh(dot)no-ip(dot)org" type="cite">
<pre wrap="">On Wed, Aug 10, 2005 at 10:02:05AM -0700, Rick Roman wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I have a web application that will allow users to submit comments. The
database activity consists of a single insert statement into a comments
table. I want to lock down this operation against sql injection attacks.
Can someone point me to a discussion of general principles? I've seen
reference to V3 extended-query protocol. Where is this invoked? Other
suggestions?
</pre>
</blockquote>
<pre wrap=""><!---->
What language are you using?

The general principle is that you have to look user input for certain
chars, such as ' and \, and escape them somehow.

There's another way, which is using new features of the v3 protocol.
One easy way to do that is using PQexecParams() instead of PQexec(), if
you are dealing with C programs.

</pre>
</blockquote>
I am using PG 7.3, Java through the OBJ Object/relational bridge.<br>
</body>
</html>

Attachment Content-Type Size
unknown_filename text/html 1.3 KB

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message josh@segrestfarms.com 2005-08-10 17:20:32 Re: SQL Server 2000 to PostgreSQL 8.0.3
Previous Message Alvaro Herrera 2005-08-10 17:11:08 Re: Preventing sql injection