| From: | paul rivers <rivers(dot)paul(at)gmail(dot)com> |
|---|---|
| To: | Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL injection, php and queueing multiple statement |
| Date: | 2008-04-12 18:59:16 |
| Message-ID: | 48010684.80608@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Ivan Sergio Borgonovo wrote:
> Yeah... but how can I effectively enforce the policy that ALL input
> will be passed through prepared statements?
>
Code reviews are about the only way to enforce this.
> If I can't, and I doubt there is a system that will let me enforce
> that policy at a reasonable cost, why not providing a safety net that
> will at least raise the bar for the attacker at a very cheap cost?
>
How do you do this? Disallow string concatenation and/or variable
interpolation for any string that's going to be shipped off to the
database? Do you parse the SQL string according to the rules of any
backend database you might be talking to, to see if you have a where
clause not using a prepared statement? i.e. - Nothing is going to work here.
You're stuck with making sure developers know the most rudimentary
things about talking to a database.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Wilson | 2008-04-12 19:07:18 | Re: Postgres on shared network drive |
| Previous Message | Dawid Kuroczko | 2008-04-12 18:52:11 | Re: SQL injection, php and queueing multiple statement |