Quick Links

Re: to_tsquery, plainto_... avoiding bad input, injections. Is there a builtin function for this ? Escaping?

From:	Mohamed <mohamed5432154321(at)gmail(dot)com>
To:	pgsql-general(at)postgresql(dot)org
Subject:	Re: to_tsquery, plainto_... avoiding bad input, injections. Is there a builtin function for this ? Escaping?
Date:	2009-01-08 16:33:08
Message-ID:	861fed220901080833k555f0eb7se29376b822bcecda@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

Yeah, would Python protect you from that ? I am using Groovy on Grails and
not sure how these things work here. Most of the time I use GORM to do my
queries, but now I am stuck with SQL because of fulltext search with
Postgres. Perhaps there is some similiar things in Groovy to run, I will
check into that.
/ Moe

On Thu, Jan 8, 2009 at 5:20 PM, Christopher Swingley <cswingle(at)gmail(dot)com>wrote:

> Greetings!
>
> > Wed, Jan 7, 2009 at 8:07 PM, Mohamed <mohamed5432154321(at)gmail(dot)com>
> > > Hi, I am wondering whether or not there exists any built in
> > > function for making sure a query/textinput is not harmful or one
> > > that escapes them. If not, what kind of things should I watch out
> > > for ?
> >
> > * Reg Me Please <regmeplease(at)gmail(dot)com> [2009-Jan-08 00:20 AKST]:
> > Maybe I'm missing the point, but have read about quote_ident() and
> > quote_literal() at chapter 9.4 "String Functions and Operators"?
>
> quote_literal() does seem like a good choice for getting the quoting
> correct. As far as protecting yourself from SQL injection attacks, you
> may want to look at the options available in the programming language
> you are using to get user input. In Python, for example, you can run
> queries as follows:
>
> parameters = (12, "bar", True)
> query = "INSERT INTO foo VALUES (%d, %s, %s);"
> cursor.execute(query, parameters)
> cursor.commit()
>
> Python fills the '%X' fields with the parameters after verifying they
> are safe. Probably best to test how much protection this offers.
>
> I believe the risk isn't so much a question of quoting or special
> characters, but carefully crafted input variables. For example, what if
> the second parameter was:
>
> "'bar', True); DELETE FROM foo; INSERT INTO foo VALUES (1, 'bar',"
>
> Cheers,
>
> Chris
> --
> Christopher S. Swingley
> http://swingleydev.com/
> <cswingle(at)gmail(dot)com>
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

In response to

Re: to_tsquery, plainto_... avoiding bad input, injections. Is there a builtin function for this ? Escaping? at 2009-01-08 16:20:22 from Christopher Swingley

Responses

Re: to_tsquery, plainto_... avoiding bad input, injections. Is there a builtin function for this ? Escaping? at 2009-01-08 19:30:23 from Will Rutherdale (rutherw)

Browse pgsql-general by date

	From	Date	Subject
Next Message	Richard Huxton	2009-01-08 16:37:11	Re: SQL state: 22P02 Error during a COPY FROM a CSV file
Previous Message	Richard Huxton	2009-01-08 16:31:35	Re: Cannot restart postgresql when increasing max_connections