On Tue, Oct 12, 1999 at 11:53:44AM +0200, Herouth Maoz wrote:
> At 02:31 +0200 on 12/10/1999, Jason Uhlenkott wrote:
>
>
> > The statements I generate are usually of the form:
> > INSERT INTO foo (bar, bas) VALUES ('abc', 'def');
> > but the 'abc' and 'def' come from an untrusted source, so if they supply
> > a string like "def'); delete from foo; '" they can make me do this:
> > INSERT INTO foo (bar, bas) VALUES ('abc', 'def'); delete from foo; '');
> >
> > What do I need to do to prevent this? My current plan is to prepend a
> > backslash to every single-quote, backslash, and semicolon in the
> > untrusted string. Are there any other special characters I should watch
> > out for? Is it possible to do something evil despite your special
> > characters being prepended with a backslash?
>
> I don't see why you would want to escape a semicolon. If you escape single
> quotes and backslashes, the above situation won't happen - the string won't
> be finished until the first unescaped quote - yours - is encountered.
> Semicolons are not special in strings.
>
> Herouth
I once posted a similar question to the pgsql-novice mailing
list. There, David Rugge (1 Aug 1999) told me to escape ', ", and %,
even though I am not quite sure why you have to escape " and %. But
now that I think of it: you also need to escape \, of course, or
backslashes will either get lost or, even worse, may escape the
closing quote (think of $def="\"). Thus, using Perl and Pg, you would
do:
use Pg;
$conn = ...;
$abc="abc";
$def="def";
$conn->exec("INSERT INTO foo (bar, bas) VALUES ('" . &stdstr($abc) . "', '" . &stdstr($def) . "')";
sub stdstr { local $or = $_[0]; $or =~ s /\'/\\\'/g; $or =~ s /\"/\\\"/g; $or =~ s /%/\\%/g; $or =~ s
/\\/\\\\/g; return $or;
}
Hope that helps,
Albert.
--
--------------------------------------------------------------------------- Post an / Mail to / Skribu al: Albert
Reiner<areiner@tph.tuwien.ac.at>
---------------------------------------------------------------------------
