Illegal characters in database names, table names, user names...

From: Robin Munn <rmunn(at)pobox(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Illegal characters in database names, table names, user names...
Date: 2004-04-22 16:29:41
Message-ID: slrnc8fsnl.soo.rmunn@rmunnlfs.dyndns.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

I'm developing a simple proof-of-concept Web application, more as a
personal programming exercise than anything else, that presents the user
with a login form where they can type in a database name, username, and
password. I then present them with a text field to type in SQL queries,
and hand back a nicely-formatted HTML table with the result of their
queries. Basically, just a programming exercise to get my feet wet with
the Web application framework I'm using (a Python-based framework called
Quixote).

As I was writing the database-connection code, I got to thinking about
security. How do I prevent the user from entering something like
"eviluser ; drop database template1" in the username field?

One way to go about it, I thought, would be to examine the dbname,
username, and/or password fields and make sure that they contain only
legal characters. But I couldn't find a reference in the PostgreSQL
documentation to tell me which characters are considered legal or
illegal in database names, usernames, or table names. And what about
passwords? There may be all sorts of punctuation in there.

Is there a list of illegal characters somewhere? What other methods
would you recommend to validate user input before I send it off to
PostgreSQL?

--
Robin Munn
rmunn(at)pobox(dot)com

Browse pgsql-general by date

  From Date Subject
Next Message Joshua D. Drake 2004-04-22 16:46:07 Re: FW: Postgres alongside MS SQL Server
Previous Message Alvaro Herrera 2004-04-22 16:16:22 Re: ident authentication problem