| From: | Harald Fuchs <hf0722x(at)protecting(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-26 17:25:46 |
| Message-ID: | pubri2n0it.fsf@srv.protecting.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
In article <27702(dot)1090854781(at)sss(dot)pgh(dot)pa(dot)us>,
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> Geoff Caplan <geoff(at)variosoft(dot)com> writes:
>> Obviously, proper validation is a given for all kinds of reasons. But
>> the problem with validation/escaping as the primary defense against
>> injection seems to be that simply escaping would not catch every type
>> of insertion via strings.
> I think you misunderstood. Escaping is perfectly safe (given a correct
> escaping function) if it's used on *every* untrustworthy input string.
> The argument for the "keep data separate from code" approach is
> essentially just that it's easier to be sure you haven't forgotten
> anyplace where you need to escape.
Exactly. As long as you escape everything, you're safe. The only
thing to remember is that that you have to escape in both directions:
whatever you get from your web page and want to put into the DB should
be SQL-escaped, and whatever you get from the DB and want to display
on a web page should be HMTL-escaped (including error messages from
PostgreSQL).
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Duane Lee - EGOVX | 2004-07-26 17:34:46 | Re: selecting more that 2 tables based on 1 subquery fi |
| Previous Message | Bill Moran | 2004-07-26 17:15:36 | Re: Sql injection attacks |