Home > mailing lists

Re: Effectiveness of pg_escape_string at blocking SQL - Mailing list pgsql-php

From	Andrew McMillan
Subject	Re: Effectiveness of pg_escape_string at blocking SQL
Date	May 28, 2005 05:02:17
Msg-id	1117256480.30150.172.camel@lamb.mcmillan.net.nz Whole thread Raw
In response to	Re: Effectiveness of pg_escape_string at blocking SQL injection (Ed Finkler <coj@cerias.purdue.edu>)
List	pgsql-php

Tree view

On Fri, 2005-05-27 at 11:33 -0500, Ed Finkler wrote:
> Volkan YAZICI wrote:
>
> [snip]
>
> > If you think, they're not enough for SQL-Injection attacks, I'd advice
> > you to patch libpq code, not PHP.
>
> This is very helpful information.  My initial thinking is that this
> wouldn't be effective at catching SQL injections, but I'll need to
> bounce this off a few other folks.

Given the modus operandi of an SQL inject attack, this should be
perfectly effective at stopping them.

As Bruno said, however, the "bind parameters" approach is a better
approach in general.

Cheers,
                    Andrew McMillan.

-------------------------------------------------------------------------
Andrew @ Catalyst .Net .NZ  Ltd,  PO Box 11-053, Manners St,  Wellington
WEB: http://catalyst.net.nz/            PHYS: Level 2, 150-154 Willis St
DDI: +64(4)803-2201      MOB: +64(272)DEBIAN      OFFICE: +64(4)499-2267

Attachment

signature.asc

pgsql-php by date:

From: Bruno Wolff III
Date: 27 May 2005, 18:15:02
Subject: Re: Effectiveness of pg_escape_string at blocking SQL injection

From: Volkan YAZICI
Date: 28 May 2005, 07:01:37
Subject: Re: Effectiveness of pg_escape_string at blocking SQL injection attacks

Re: Effectiveness of pg_escape_string at blocking SQL - Mailing list pgsql-php

Attachment

Previous

Next