| From: | "Dawid Kuroczko" <qnex42(at)gmail(dot)com> |
|---|---|
| To: | "Ivan Sergio Borgonovo" <mail(at)webthatworks(dot)it> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL injection, php and queueing multiple statement |
| Date: | 2008-04-12 18:52:11 |
| Message-ID: | 758d5e7f0804121152r4b0dc61arbca4a68a3a8c42e5@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Apr 11, 2008 at 9:21 PM, Ivan Sergio Borgonovo
<mail(at)webthatworks(dot)it> wrote:
> Is there a switch (php side or pg side) to avoid things like:
>
> pg_query("select id from table1 where a=$i");
>
> into becoming
>
> pg_query("select id from table1 where a=1 and 1=1; do something
> nasty; -- ");
>
> So that every
> pg_query(...) can contain no more than one statement?
Well, use prepared statements.
Apart from that, make it impossible to "do something nasty". Your
php_db_user should be
allowed as little as possible. Specifically:
* she should not be owner of the tables/other objects -- this way you are safe
from nasty "DROP TABLE"s and the like.
* you should decide where she is allowed to INSERT/UPDATE/DELETE, the latter
two are the most dangerous ones.
* you should make use of referential integrity constraints -- so evil
DELETE or UPDATE
will probably fail on these. ;)
* you should provide PL/pgSQL stored procedures to update your vital
data. So evil
bulk delete/update will be harder to accomplish (if your evildoer can
craft exploit to
do it, he probably already has a lot of access to your system ;)).
...oh and think about isolating read-only acces (read only user) from
rw-user -- if
that sounds reasonable to do so.
Regards,
Dawid
| From | Date | Subject | |
|---|---|---|---|
| Next Message | paul rivers | 2008-04-12 18:59:16 | Re: SQL injection, php and queueing multiple statement |
| Previous Message | Dawid Kuroczko | 2008-04-12 18:34:14 | Re: Postgres on shared network drive |