Re: Best practices for protect applications agains Sql injection.

pepone.onrez wrote:
> Hi all
>
> I interesting in the protect my applications that use postgresql as is
> database backend from Sql Injections attacks, can any recommend me
> best pratices or references to protected postgres from this kind of
> malicious users.
>
> Thanks in advanced
> José Manuel, Gutíerrez de la Concha Martínez.
SQL injection vulnerabilities are a product of the coding, not the
database. In a typical sql injection vulnerability, the code (typically
PHP or ASP, hopefully PHP) fails to sanitize the input of a parameter to
a query (removing ; among other things), but the db is acting properly
in such a situation.

For example the query "SELECT * FROM users WHERE username =
'$username';" is a pretty typical PHP generated query. if $username is
input as foobar then the query "SELECT * FROM users WHERE username =
'foobar';" would work as intended. However if the username was "foobar';
DELETE FROM users;" then the query would become
"SELECT * FROM users WHERE username = 'foobar'; DELETE FROM users;'"
which is a perfectly legal query (except the last ' but it won't make
much of a difference) and the db is acting as designed. It is the
responsibility of the code to sanitize the input to keep this from
happening by removing special characters such as ; and ' so there is no
way (AFAIK) to utilize postgresql settings to protect against SQL injection.

Check out this page:
http://www.acunetix.com/websitesecurity/sql-injection.htm
and this page: http://www.acunetix.com/websitesecurity/sql-injection2.htm
for more information.

--
Tom Hart
IT Specialist
Cooperative Federal
723 Westcott St.
Syracuse, NY 13210
(315) 471-1116 ext. 202
(315) 476-0567 (fax)