| From: | PFC <lists(at)peufeu(dot)com> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Gregory Stark" <stark(at)enterprisedb(dot)com> |
| Cc: | "Andrew Sullivan" <ajs(at)commandprompt(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-05-01 16:33:07 |
| Message-ID: | op.uahhlhb2cigqcu@apollo13.peufeu.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> Sure, modifying the WHERE clause is still possible, but the attacker is
> a lot more limited in what he can do if he can't tack on a whole new
> command.
I hacked into a site like that some day to show a guy that you shouldn't
trust magicquotes (especially when you switch hosting providers and it's
not installed at your new provider, lol).
Binary search on the password field by adding some stuff to the WHERE...
You could still wipe out tables (just add a "' OR 1;--" to the id in the
url to delete somthing...
But it's true that preventing multi-statements adds a layer of
idiot-proofness... a rather thin layer...
>
> The important aspects of this that I see are:
>
> 1. Inexpensive to implement;
> 2. Unlikely to break most applications;
> 3. Closes off a fairly large class of injection attacks.
>
> The cost/benefit ratio looks pretty good (unlike the idea that started
> this thread...)
>
> regards, tom lane
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | KaiGai Kohei | 2008-05-01 16:47:25 | Re: [0/4] Proposal of SE-PostgreSQL patches |
| Previous Message | Tom Lane | 2008-05-01 16:30:48 | Let the commit fest begin! |