| From: | Harald Fuchs <hf0923x(at)protecting(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: a stored procedure ..with integer as the parameter |
| Date: | 2005-10-24 20:00:55 |
| Message-ID: | 87oe5eu1l4.fsf@srv.protecting.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
In article <33c6269f0510241144s680be862pfdc0c59dcba06eee(at)mail(dot)gmail(dot)com>,
Alex Turner <armtuk(at)gmail(dot)com> writes:
> 1. ( ) text/plain (*) text/html
> As sort of a side discussion - I have postulated that quoting all incomming
> numbers as string would be an effective defense against SQL Injection style
> attacks, as magic quotes would destory any end-quote type syntax:
> in_value=1
> select * from table where my_id='$in_value';
> as an example for PHP - Postgres will silenty perform an atoi on the string to
> make it a number, but it would prevent:
> in_value=1; delete * from user;
> select * from table where my_id=$in_value
> Am I just smoking crack here, or does this approach have some merit?
The former :-)
The correct defense against SQL injection is proper escaping, not quoting.
How about $in_value = '1''; delete * from user'?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Angshu Kar | 2005-10-24 20:06:29 | Unsubscribe |
| Previous Message | Tomas | 2005-10-24 20:00:34 | Re: PostgreSQL 8.1 Beta 4 |