From: | Mohamed <mohamed5432154321(at)gmail(dot)com> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: to_tsquery, plainto_... avoiding bad input, injections. Is there a builtin function for this ? Escaping? |
Date: | 2009-01-08 16:33:08 |
Message-ID: | 861fed220901080833k555f0eb7se29376b822bcecda@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Yeah, would Python protect you from that ? I am using Groovy on Grails and
not sure how these things work here. Most of the time I use GORM to do my
queries, but now I am stuck with SQL because of fulltext search with
Postgres. Perhaps there is some similiar things in Groovy to run, I will
check into that.
/ Moe
On Thu, Jan 8, 2009 at 5:20 PM, Christopher Swingley <cswingle(at)gmail(dot)com>wrote:
> Greetings!
>
> > Wed, Jan 7, 2009 at 8:07 PM, Mohamed <mohamed5432154321(at)gmail(dot)com>
> > > Hi, I am wondering whether or not there exists any built in
> > > function for making sure a query/textinput is not harmful or one
> > > that escapes them. If not, what kind of things should I watch out
> > > for ?
> >
> > * Reg Me Please <regmeplease(at)gmail(dot)com> [2009-Jan-08 00:20 AKST]:
> > Maybe I'm missing the point, but have read about quote_ident() and
> > quote_literal() at chapter 9.4 "String Functions and Operators"?
>
> quote_literal() does seem like a good choice for getting the quoting
> correct. As far as protecting yourself from SQL injection attacks, you
> may want to look at the options available in the programming language
> you are using to get user input. In Python, for example, you can run
> queries as follows:
>
> parameters = (12, "bar", True)
> query = "INSERT INTO foo VALUES (%d, %s, %s);"
> cursor.execute(query, parameters)
> cursor.commit()
>
> Python fills the '%X' fields with the parameters after verifying they
> are safe. Probably best to test how much protection this offers.
>
> I believe the risk isn't so much a question of quoting or special
> characters, but carefully crafted input variables. For example, what if
> the second parameter was:
>
> "'bar', True); DELETE FROM foo; INSERT INTO foo VALUES (1, 'bar',"
>
> Cheers,
>
> Chris
> --
> Christopher S. Swingley
> http://swingleydev.com/
> <cswingle(at)gmail(dot)com>
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>
From | Date | Subject | |
---|---|---|---|
Next Message | Richard Huxton | 2009-01-08 16:37:11 | Re: SQL state: 22P02 Error during a COPY FROM a CSV file |
Previous Message | Richard Huxton | 2009-01-08 16:31:35 | Re: Cannot restart postgresql when increasing max_connections |