Re: Best practices for protect applications agains Sql injection.

From: Tom Hart <tomhart(at)coopfed(dot)org>
To: "pepone(dot)onrez" <pepone(dot)onrez(at)gmail(dot)com>
Cc: pgsql-general <pgsql-general(at)postgresql(dot)org>
Subject: Re: Best practices for protect applications agains Sql injection.
Date: 2008-01-23 20:19:47
Message-ID: 4797A163.6050700@coopfed.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

pepone.onrez wrote:
> Hi all
>
> I interesting in the protect my applications that use postgresql as is
> database backend from Sql Injections attacks, can any recommend me
> best pratices or references to protected postgres from this kind of
> malicious users.
>
> Thanks in advanced
> José Manuel, Gutíerrez de la Concha Martínez.
SQL injection vulnerabilities are a product of the coding, not the
database. In a typical sql injection vulnerability, the code (typically
PHP or ASP, hopefully PHP) fails to sanitize the input of a parameter to
a query (removing ; among other things), but the db is acting properly
in such a situation.

For example the query "SELECT * FROM users WHERE username =
'$username';" is a pretty typical PHP generated query. if $username is
input as foobar then the query "SELECT * FROM users WHERE username =
'foobar';" would work as intended. However if the username was "foobar';
DELETE FROM users;" then the query would become
"SELECT * FROM users WHERE username = 'foobar'; DELETE FROM users;'"
which is a perfectly legal query (except the last ' but it won't make
much of a difference) and the db is acting as designed. It is the
responsibility of the code to sanitize the input to keep this from
happening by removing special characters such as ; and ' so there is no
way (AFAIK) to utilize postgresql settings to protect against SQL injection.

Check out this page:
http://www.acunetix.com/websitesecurity/sql-injection.htm
and this page: http://www.acunetix.com/websitesecurity/sql-injection2.htm
for more information.

--
Tom Hart
IT Specialist
Cooperative Federal
723 Westcott St.
Syracuse, NY 13210
(315) 471-1116 ext. 202
(315) 476-0567 (fax)

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Bill Moran 2008-01-23 20:28:44 Re: Best practices for protect applications agains Sql injection.
Previous Message Roberto Scattini 2008-01-23 20:18:42 Re: pg_xlog and standby