Home > mailing lists

Re: SQL safe input? - Mailing list pgsql-novice

From	Bruno Wolff III
Subject	Re: SQL safe input?
Date	August 26, 2005 20:44:43
Msg-id	20050826204415.GA11078@wolff.to Whole thread Raw
In response to	SQL safe input? (cbraden <cbraden@douglasknight.com>)
Responses	Re: SQL safe input? (Philip Hallstrom <postgresql@philip.pjkh.com>) Re: SQL safe input? (<operationsengineer1@yahoo.com>)
List	pgsql-novice

Tree view

On Fri, Aug 26, 2005 at 15:53:14 -0400,
  cbraden <cbraden@douglasknight.com> wrote:
> Folks,
>
> I would like to know how to prevent SQL attacks on a postgreSQL server.
>
> I know in mySQL you can put any input going to the DB through a filter
> which encodes anything which would be malicious into mySQL safe data.  I
> need something similar in postgreSQL.  Specifically as a php
> implementation if it exists.

IMO the best way to do this is to use bind parameters to pass user input
to queries. Then you don't need to escape anything. You might still check
for very long strings.

pgsql-novice by date:

From: Stephan Szabo
Date: 26 August 2005, 20:33:49
Subject: Re: SQL "OR" Problem

From: Philip Hallstrom
Date: 26 August 2005, 21:01:39
Subject: Re: SQL safe input?

Re: SQL safe input? - Mailing list pgsql-novice

Previous

Next