From: | Michael Glaesemann <grzm(at)myrealbox(dot)com> |
---|---|
To: | Alex Turner <armtuk(at)gmail(dot)com> |
Cc: | "Matthew D(dot) Fuller" <fullermd(at)over-yonder(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Murphy <murphy(at)genome(dot)chop(dot)edu>, PostgreSQL general <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: SQL injection |
Date: | 2005-11-02 23:08:30 |
Message-ID: | DBB6B456-8884-47BB-B9BF-E609E5B53846@myrealbox.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Nov 3, 2005, at 4:26 , Alex Turner wrote:
> My point is that with magic_quotes on in PHP, php already escapes
> quotes for you in all inbound variables. This makes the process
> automatic, and therefore fool proof, which is kinda the whole point.
> You want a mechanism that there isn't an easy way around, like
> forgetting to db_quote once in a while. I'm just trying to find out
> if there is an example where magic quotes by itself doesn't work, and
> there is a viable injection attack possible, and if so, what it is, so
> I can figure out how to prevent it ;).
I'm wondering if using magic_quotes will have issues down the pipe
when backslash escaping is no longer the default in PostgreSQL to
follow SQL spec. Am I correct in thinking that either the SQL
statements would have to be rewritten to use E'' strings, the server
setting would have to allow the use of backslashes, or magic_quotes
would have to be turned off and variables otherwise escaped to
prevent SQL injection?
As an aside, it's interesting to see that the PHP documentation states:
---
Magic Quotes is a process that automagically escapes incoming data to
the PHP script. It's preferred to code with magic quotes off and to
instead escape the data at runtime, as needed.
---
http://jp.php.net/magic_quotes
Michael Glaesemann
grzm myrealbox com
From | Date | Subject | |
---|---|---|---|
Next Message | Jim C. Nasby | 2005-11-02 23:21:41 | Re: Lock Modes (Documentation) |
Previous Message | Bruce Momjian | 2005-11-02 22:59:15 | Re: Lock Modes (Documentation) |