Re: Limit on number of queries from CGI or PHP (security)

From: Michelle Murrain <mpm(at)norwottuck(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Limit on number of queries from CGI or PHP (security)
Date: 2000-10-17 13:17:50
Message-ID: a05001901b6120121586b@[192.168.1.10]
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

At 1:00 AM -0700 10/17/00, Rikul Patel wrote:
>Hi,
>
>Is there any way I can restrict number of queries to
>only one? Here's the problem:
>
>If PHP script gets some data as input from user, and
>PHP scripts tries to put this data into Postgresql,
>what's keeping the user to modify the data in way to
>have postgresql execute two queries.
>
>So instead of some PHP script generating query like
>"select * from table where text='some text' or id=1",
>some malicious user could make it generate "select *
>from table where text='some text' or id=1;delete from
>table"

I don't know if this is possible - but what I do is generally give
the user as little control of the generation of the query as
possible. I generally generate sql statements in a way that make it
difficult (I think) to construct a malicious query.

You also could parse the generated sql before executing it, watching
out for such words as 'delete' or 'update' if that is never going to
be the intention of the query in that instance.

Michelle
--
---------------------------
Michelle Murrain, President
Norwottuck Technology Resources
mpm(at)norwottuck(dot)com

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Frank Bax 2000-10-17 13:31:32 OpenBSD startup - logfile?
Previous Message luc 2000-10-17 12:45:21 off topic