| From: | Lincoln Yeoh <lyeoh(at)pop(dot)jaring(dot)my> |
|---|---|
| To: | hf0722x(at)protecting(dot)net, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-28 21:11:08 |
| Message-ID: | 5.2.1.1.1.20040729045139.02b49448@localhost |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
At 05:30 PM 7/28/2004 +0200, Harald Fuchs wrote:
>Even if $input contains '%' or '_', those characters get properly escaped.
What versions are you using?
The versions I'm using are a bit old.
DBD::Pg 1.22 (3 versions old)
Postgresql 7.3.4
Schema+data:
create table test3 (a integer, b text);
insert into test3 (a,b) values (1,'a');
insert into test3 (a,b) values (2,'b');
insert into test3 (a,b) values (3,'c');
insert into test3 (a,b) values (4,'d');
code:
#!/usr/bin/perl -wT
use strict;
use DBI();
my ($DBNAME,$DBUSER,$DBPASS)=('DB','user','pass');
my $dbh = DBI->connect('DBI:Pg(AutoCommit =>
0):dbname='.$DBNAME,$DBUSER,$DBPASS
);
dbdo("update test3 set a=1-? where a=4","error testing",-1);
$dbh->commit;
$dbh->disconnect();
exit 0;
sub dbdo {
my $SQL=shift||'';
# dolog('DEBUG',$SQL);
my $errmsg=shift||'Unable to run database query!';
my $sth=$dbh->prepare($SQL) or die($errmsg.'|'.$DBI::errstr);
# dolog('DEBUG','prepared');
my $rv='';
$rv=$sth->execute(@_) or die($errmsg.'|'.$DBI::errstr);
# dolog('DEBUG','executed');
return ($sth,$rv);
}
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Glen Parker | 2004-07-28 21:26:18 | Win32 binary |
| Previous Message | Geoff Caplan | 2004-07-28 20:08:56 | Re: php -postgresql |