Home > mailing lists

Re: escaping literals (in libpq) - Mailing list pgsql-interfaces

From	Michael Fuhr
Subject	Re: escaping literals (in libpq)
Date	April 3, 2005 20:33:48
Msg-id	20050403163339.GA86021@winnie.fuhr.org Whole thread Raw
In response to	escaping literals (in libpq) (Volkan YAZICI <yazicivo@ttnet.net.tr>)
Responses	Re: escaping literals (in libpq)
List	pgsql-interfaces

Tree view

On Sun, Apr 03, 2005 at 03:27:47AM +0300, Volkan YAZICI wrote:
> 
> By using PQescapeString() and PQescapeBytea() we can protect SQL
> commands from SQL-Injection. I just wonder if it's necessary to
> use these escape functions when using PQexecParams() or
> PQsendQueryParams(); or these execParam functions don't need
> escaping literals?

Here's an excerpt from the PQexecParams() documentation:
   The primary advantage of PQexecParams over PQexec is that   parameter values may be separated from the command
string,thus   avoiding the need for tedious and error-prone quoting and   escaping.

Run some tests: create queries that do simple (but harmless) SQL
injection, submit them unescaped with PQexec() to verify that the
injection works, then escape them and submit them with PQexec() to
verify that escaping prevents the injection, then submit them
unescaped with PQexecParams() and observe what happens, then escape
them and submit them with PQexecParams() and observe what happens.

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/

pgsql-interfaces by date:

From: John DeSoi
Date: 03 April 2005, 17:40:37
Subject: Re: MacSQL connectivity

From: Volkan YAZICI
Date: 03 April 2005, 21:11:56
Subject: Re: escaping literals (in libpq)

Re: escaping literals (in libpq) - Mailing list pgsql-interfaces

Previous

Next