| From: | "B(dot) van Ouwerkerk" <bvo(at)atz(dot)nl> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-29 10:46:45 |
| Message-ID: | 6.0.0.22.0.20040729123957.02ac5b70@pop.atz.nl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> > That can be confirmed by setting $dbh->trace_level to something greater
> or equal
> > than 2 and looking at the Pg DBD driver's output.
>
>Shit, you're right. The $dbh->quote() called for the placeholders
>escapes strings for INSERTing, but not for LIKE comparisons. So this
>is one of the few places where using placeholders is not enough.
>
>At least my erroneous assumption can't be used for an SQL injection
>attack - you just get more results than you would get if you escape
>the wildcards by hand.
I've been reading this discussion and I asked myself whether you guys
remove/replace unwanted chars from strings you get from the web or not..
If you do remove them AFAIK it doesn't only prevent SQL injection but also XSS.
B.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Elie Nacache | 2004-07-29 12:02:44 | how to limit user to open another session |
| Previous Message | Harald Fuchs | 2004-07-29 09:57:33 | Re: Sql injection attacks |