Doug McNaught wrote:
Geoff Caplan <geoff@variosoft.com> writes:

  
Doug,

DM> Geoff Caplan <geoff@variosoft.com> writes:

    
But in web work, you are often using GET/POST data directly in your
SQL clauses, so the untrusted data is part of the query syntax and not
just a value.
        
DM> Can you give an example of this that isn't also an example of
DM> obviously bad application design?

I'm no expert to put it mildly, but if you Google for "SQL Injection
Attack" you'll find a lot of papers by security agencies and
consultancies. You could start with these:
    

That doesn't answer my question.  :)

If you're trusting the user (via GET or POST data) to hand you valid
SQL fragments, even just column names, you Deserve To Lose.  The only
things that come in via GET or POST should be data values, and they
should either be explicitly escaped, or used in prepared statements
where the driver takes care of the escaping.  

-Doug
Or, if your POST/GET data is necessary to alter your SQL statement, then make it conditional, but never accept raw SQL from the user.  It's easy enough to check for certain fields (such as a checkbox for a boolean AND or OR in your where clause).  But be sure that the checkbox never sends in SQL code, it should just send in a 1 if checked.  Then in your code, you check for that value and you manually program the 2 alternative versions of the SQL statement.  It's more work in design, but it's easier in the long run.

As for escaping the data still being likely to cause problems, if you escape all of the quotes in your data, then the data can never be outside of one of your quoted columns of data.  If the user sends in the data "valid data' SQL code here", and you escape, that entire string because just data, because it becomes "valid data\' SQL code here".  As a result, it will never be allowed outside of the column data (ie, the entire thing will be treated as data).  If the field is a non-character field, you can simply strip out all quotes, and any "data" that is invalid will be rejected by the PostgreSQL engine.  For example, if a date field is what the user is trying to compromise, and you remove the quotes, the system will just give an error saying invalid date format.  This is, of course, if you don't want to do software validation (i.e. basic data reasonability checks).

Personally, I don't trust the users to give me valid SQL fragments, so I only treat inbound data as data.  Users are dangerous, and users with a little knowledge are more dangerous, so I don't want my users to have a need or desire to learn SQL.
-- 
Thanks,
Laura Vance
Systems Engineer
Winfree Academy Charter Schools, Data-Business Office
1711 W. Irving Blvd. Ste 310
Irving, Tx  75061
Web: www.winfreeacademy.com