| From: | Doug McNaught <doug(at)mcnaught(dot)org> |
|---|---|
| To: | Geoff Caplan <geoff(at)variosoft(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-26 14:30:07 |
| Message-ID: | 877jsq7seo.fsf@asmodeus.mcnaught.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Geoff Caplan <geoff(at)variosoft(dot)com> writes:
> Doug,
>
> DM> Geoff Caplan <geoff(at)variosoft(dot)com> writes:
>
>>> But in web work, you are often using GET/POST data directly in your
>>> SQL clauses, so the untrusted data is part of the query syntax and not
>>> just a value.
>
> DM> Can you give an example of this that isn't also an example of
> DM> obviously bad application design?
>
> I'm no expert to put it mildly, but if you Google for "SQL Injection
> Attack" you'll find a lot of papers by security agencies and
> consultancies. You could start with these:
That doesn't answer my question. :)
If you're trusting the user (via GET or POST data) to hand you valid
SQL fragments, even just column names, you Deserve To Lose. The only
things that come in via GET or POST should be data values, and they
should either be explicitly escaped, or used in prepared statements
where the driver takes care of the escaping.
-Doug
--
Let us cross over the river, and rest under the shade of the trees.
--T. J. Jackson, 1863
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Lincoln Yeoh | 2004-07-26 14:35:07 | Re: Sql injection attacks |
| Previous Message | Geoff Caplan | 2004-07-26 14:16:28 | Re: Sql injection attacks |