| From: | Gregory Stark <stark(at)enterprisedb(dot)com> |
|---|---|
| To: | Andrew Sullivan <ajs(at)commandprompt(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-05-01 15:07:08 |
| Message-ID: | 87bq3qm5b7.fsf@oxford.xeocode.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Andrew Sullivan" <ajs(at)commandprompt(dot)com> writes:
> The _principal_ trick with SQL injection is to fool the application
> into somehow handing a ";" followed by an arbitrary SQL statement.
> There are of course other things one can do, but most of them are
> constrained to abuse of statements your application already performs.
> This injection problem, on the other hand, allows an attacker to do
> whatever they want.
They're the principal trick only because they're the most convenient. If you
block them (as you can today by using PQExecParams() !!!) then people will
switch to other things.
c.f.
http://www.areino.com/hackeando/
(there is a semicolon here but that's a microsoft-ism, postgres would actually
be more affected by this style of attack without the semicolon)
--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Ask me about EnterpriseDB's Slony Replication support!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2008-05-01 15:14:13 | Re: Odd timezone backend output |
| Previous Message | Andrew Chernow | 2008-05-01 14:56:36 | Re: Odd timezone backend output |