Re: escaping and sql injection - Mailing list pgsql-general

From Martijn van Oosterhout
Subject Re: escaping and sql injection
Date
Msg-id 20030222000716.GB31264@svana.org
Whole thread Raw
In response to escaping and sql injection  (Dennis Gearon <gearond@cvc.net>)
Responses Re: escaping and sql injection
List pgsql-general
On Fri, Feb 21, 2003 at 03:09:01PM -0800, Dennis Gearon wrote:
> Is there any links for escaping characters and sql injection prevention in postgres?
>
> I have read where the ' character is not really the preferred escaping character, but it does seem
> to be the one I've seen for postgres.
>
> Can multiple statements be issued in postgres, like:
>
> 'select count(*) from MyTable; drop MyTable;'

You can solve the SQL injection problem by escaping all single quotes (')
and blackslashes (\) with a backslash.

I'm not sure about the multiple statement thing. It used to work but I'm not
sure if it still does.

--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Support bacteria! They're the only culture some people have.

Attachment

pgsql-general by date:

Previous
From: Steve Crawford
Date:
Subject: What filesystem?
Next
From: Andrew Sullivan
Date:
Subject: Re: What filesystem?