From: | "Yasuo Ohgaki" <yasuo_ohgaki(at)hotmial(dot)com> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: PQexec() with multiple sql statements. |
Date: | 2001-04-10 00:19:47 |
Message-ID: | 9atjja$gv8$1@news.tht.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Thank for your reply.
"Lincoln Yeoh" <lyeoh(at)pop(dot)jaring(dot)my> wrote in message
news:3(dot)0(dot)5(dot)32(dot)20010409121916(dot)00851100(at)192(dot)228(dot)128(dot)13(dot)(dot)(dot)
> When I checked some time back some PHP + MySQL scripts allowed multiple SQL
> statements per query - just stick a semicolon in somewhere, and you can do
> ANY arbitrary SQL you want.
>
> for example:
>
> select * from mytable where field='$cgiparam'
>
> Someone just has to make sure $cgiparam is
> 1';drop table blah; select '1
>
> And then you're screwed. Of course you aren't supposed to write apps that
> way, but anyone want to tell the masses out there?
Even with current pg_Exec (PQExec), the same thing can be done.
So any inputs from users must be checked anyway.
As most web programmers do not trust any user inputs, I check user inputs both
form class level (Using HTML form fields definition) and db class level (Using
metadata from system tables), so it should be fine. (There are many other
security protections at network/host/application/user levels also)
However, I see a some PHP scripts that do not handle user inputs properly. It's
worth to mention :)
I believe most PostgreSQL/PHP users do this, but anyway
Don't forget to use addslashes() for user inputs before feeding them to
PostgreSQL at least.
Regards,
--
Yasuo Ohgaki
From | Date | Subject | |
---|---|---|---|
Next Message | charlie derr | 2001-04-10 00:46:25 | RE: Re: Windows install |
Previous Message | Michelle Murrain | 2001-04-10 00:13:00 | Have a question |