Re: Preventing sql injection - Mailing list pgsql-admin

From Alvaro Herrera
Subject Re: Preventing sql injection
Date
Msg-id 20050810171108.GF7871@alvh.no-ip.org
Whole thread Raw
In response to Preventing sql injection  (Rick Roman <rick@cotse.net>)
Responses Re: Preventing sql injection
List pgsql-admin
On Wed, Aug 10, 2005 at 10:02:05AM -0700, Rick Roman wrote:
> I have a web application that will allow users to submit comments. The
> database activity consists of a single insert statement into a comments
> table. I want to lock down this operation against sql injection attacks.
> Can someone point me to a discussion of general principles? I've seen
> reference to V3 extended-query protocol. Where is this invoked? Other
> suggestions?

What language are you using?

The general principle is that you have to look user input for certain
chars, such as ' and \, and escape them somehow.

There's another way, which is using new features of the v3 protocol.
One easy way to do that is using PQexecParams() instead of PQexec(), if
you are dealing with C programs.

--
Alvaro Herrera (<alvherre[a]alvh.no-ip.org>)
"In a specialized industrial society, it would be a disaster
to have kids running around loose." (Paul Graham)

pgsql-admin by date:

Previous
From: Rick Roman
Date:
Subject: Preventing sql injection
Next
From: Rick Roman
Date:
Subject: Re: Preventing sql injection