| From: | Michelle Murrain <mpm(at)norwottuck(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Limit on number of queries from CGI or PHP (security) |
| Date: | 2000-10-17 13:17:50 |
| Message-ID: | a05001901b6120121586b@[192.168.1.10] |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
At 1:00 AM -0700 10/17/00, Rikul Patel wrote:
>Hi,
>
>Is there any way I can restrict number of queries to
>only one? Here's the problem:
>
>If PHP script gets some data as input from user, and
>PHP scripts tries to put this data into Postgresql,
>what's keeping the user to modify the data in way to
>have postgresql execute two queries.
>
>So instead of some PHP script generating query like
>"select * from table where text='some text' or id=1",
>some malicious user could make it generate "select *
>from table where text='some text' or id=1;delete from
>table"
I don't know if this is possible - but what I do is generally give
the user as little control of the generation of the query as
possible. I generally generate sql statements in a way that make it
difficult (I think) to construct a malicious query.
You also could parse the generated sql before executing it, watching
out for such words as 'delete' or 'update' if that is never going to
be the intention of the query in that instance.
Michelle
--
---------------------------
Michelle Murrain, President
Norwottuck Technology Resources
mpm(at)norwottuck(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Frank Bax | 2000-10-17 13:31:32 | OpenBSD startup - logfile? |
| Previous Message | luc | 2000-10-17 12:45:21 | off topic |