Re: SQL injection, php and queueing multiple statement

From: paul rivers <rivers(dot)paul(at)gmail(dot)com>
To: Gregory Stark <stark(at)enterprisedb(dot)com>
Cc: Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it>, pgsql-general(at)postgresql(dot)org
Subject: Re: SQL injection, php and queueing multiple statement
Date: 2008-04-12 19:29:29
Message-ID: 48010D99.1040309@gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Gregory Stark wrote:
> "paul rivers" <rivers(dot)paul(at)gmail(dot)com> writes:
>
>
>>> If I can't, and I doubt there is a system that will let me enforce
>>> that policy at a reasonable cost, why not providing a safety net that
>>> will at least raise the bar for the attacker at a very cheap cost?
>>>
>> How do you do this? Disallow string concatenation and/or variable interpolation
>> for any string that's going to be shipped off to the database?
>>
>
> Actually there is a system that can do this. Perl with the -T option. It keeps
> track of which strings are "tainted" by user-input and functions like eval
> will cause errors if you try to pass them a tainted string. The database
> drivers support this and will trigger an error if they're passed a tainted
> string.
>
>

Good point. What happens in the case I query a string from the database,
and use this result to build another sql string via concatenation?
Assume the value in the database came from user input, albeit via
another source and not this script. Will taint catch this? (Genuine
question - I don't know.)

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Gregory Stark 2008-04-12 19:33:04 Re: Postgres on shared network drive
Previous Message Gregory Stark 2008-04-12 19:25:36 Re: SQL injection, php and queueing multiple statement