Re: Sql injection attacks - Mailing list pgsql-general

From Bill Moran
Subject Re: Sql injection attacks
Date
Msg-id 20040725211133.0e798140.wmoran@potentialtech.com
Whole thread Raw
In response to Re: Sql injection attacks  (Geoff Caplan <geoff@variosoft.com>)
Responses Re: Sql injection attacks
Re: Sql injection attacks
Re: Sql injection attacks
List pgsql-general
Geoff Caplan <geoff@variosoft.com> wrote:
> BM> To protect yourself from SQL injections, just pass all your data through
> BM> PQescapeString()
>
> I'm no expert, but the papers I have been reading suggest that the
> usual hygene advice such as don't display DB error messages and escape
> unsafe strings doesn't cover all types of attack. See, for example,
> this:
>
> http://www.net-security.org/article.php?id=571
>
> But so far as I can see, Peter's suggestion should provide a workable
> robust solution. So thanks again!

Hope that works for you.  I still think you're ignoring basic data validation.

Simply put:
1) If the untrusted value is a string, using a proper escape sequence should
   make it safe.
2) If the untrusted value is not a string, then it should be tested for
   proper value (i.e. if it should be a number, it should be ensured that
   it _is_ a number, and nothing else) invalid values should trigger an
   error.

I don't see how storing the SQL in some different location is the correct
way to fix anything?  Besides, the suggestions made in that paper only work
with ASP and JDBC ... how do you accomplish the same thing in PHP, for
example?

Just my opinion.  Take it or leave it as you see fit.

--
Bill Moran
Potential Technologies
http://www.potentialtech.com

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: locale-specific sort algorithms undocumented?
Next
From: jseymour@linxnet.com (Jim Seymour)
Date:
Subject: Re: Sql injection attacks