Re: PQexec() with multiple sql statements.

From: "Yasuo Ohgaki" <yasuo_ohgaki(at)hotmial(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: PQexec() with multiple sql statements.
Date: 2001-04-10 00:19:47
Message-ID: 9atjja$gv8$1@news.tht.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Thank for your reply.

"Lincoln Yeoh" <lyeoh(at)pop(dot)jaring(dot)my> wrote in message
news:3(dot)0(dot)5(dot)32(dot)20010409121916(dot)00851100(at)192(dot)228(dot)128(dot)13(dot)(dot)(dot)

> When I checked some time back some PHP + MySQL scripts allowed multiple SQL
> statements per query - just stick a semicolon in somewhere, and you can do
> ANY arbitrary SQL you want.
>
> for example:
>
> select * from mytable where field='$cgiparam'
>
> Someone just has to make sure $cgiparam is
> 1';drop table blah; select '1
>
> And then you're screwed. Of course you aren't supposed to write apps that
> way, but anyone want to tell the masses out there?

Even with current pg_Exec (PQExec), the same thing can be done.
So any inputs from users must be checked anyway.

As most web programmers do not trust any user inputs, I check user inputs both
form class level (Using HTML form fields definition) and db class level (Using
metadata from system tables), so it should be fine. (There are many other
security protections at network/host/application/user levels also)

However, I see a some PHP scripts that do not handle user inputs properly. It's
worth to mention :)

I believe most PostgreSQL/PHP users do this, but anyway
Don't forget to use addslashes() for user inputs before feeding them to
PostgreSQL at least.

Regards,
--
Yasuo Ohgaki

In response to

Browse pgsql-general by date

  From Date Subject
Next Message charlie derr 2001-04-10 00:46:25 RE: Re: Windows install
Previous Message Michelle Murrain 2001-04-10 00:13:00 Have a question