Quick Links

Re: Secure "where in(a,b,c)" clause.

From:	Rodrigo E(dot) De León Plicet <rdeleonp(at)gmail(dot)com>
To:	"William Temperley" <willtemperley(at)gmail(dot)com>
Cc:	pgsql-general(at)postgresql(dot)org
Subject:	Re: Secure "where in(a,b,c)" clause.
Date:	2008-04-03 17:20:46
Message-ID:	a55915760804031020n6ebc0e67had8acb70f36b93f2@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

On Thu, Apr 3, 2008 at 11:50 AM, William Temperley
<willtemperley(at)gmail(dot)com> wrote:
> This works very well, however I'm currently directly concatenating a sql query:
>
> select st_collect(the_geom) from tiles where tilename in
> (<comma delimited list>))
>
> Which leaves my application vulnerable to sql injection.
>
> As the length of the comma delimited list is highly variable I don't
> think I can use a prepared query to increase security.

Use a prepared query and ANY, e.g.:

select st_collect(the_geom) from tiles
where tilename = any('{foo,bar,baz}');

In response to

Secure "where in(a,b,c)" clause. at 2008-04-03 16:50:39 from William Temperley

Browse pgsql-general by date

	From	Date	Subject
Next Message	Adam Rich	2008-04-03 17:21:12	Re: Secure "where in(a,b,c)" clause.
Previous Message	Andrew Dunstan	2008-04-03 17:16:39	Re: [GENERAL] SHA1 on postgres 8.3