Re: SQL safe input? - Mailing list pgsql-novice

From Bruno Wolff III
Subject Re: SQL safe input?
Date
Msg-id 20050827033203.GA12406@wolff.to
Whole thread Raw
In response to New-B Question #2  (cbraden <cbraden@douglasknight.com>)
List pgsql-novice
Please keep replies copied to the list in order to give more people a chance
to help and to learn from the discussion.

On Fri, Aug 26, 2005 at 16:48:08 -0400,
  cbraden <cbraden@douglasknight.com> wrote:
> Bruno Wolff III wrote:
>
> >On Fri, Aug 26, 2005 at 15:53:14 -0400,
> > cbraden <cbraden@douglasknight.com> wrote:
> >
> >
> >>Folks,
> >>
> >>I would like to know how to prevent SQL attacks on a postgreSQL server.
> >>
> >>I know in mySQL you can put any input going to the DB through a filter
> >>which encodes anything which would be malicious into mySQL safe data.  I
> >>need something similar in postgreSQL.  Specifically as a php
> >>implementation if it exists.
> >>
> >>
> >
> >IMO the best way to do this is to use bind parameters to pass user input
> >to queries. Then you don't need to escape anything. You might still check
> >for very long strings.
> >
> >
> >
> >
> Sir,
>
> Being a novice, I did not understand what you meant.  Do you know a
> reference I can look at to see what you mean?

How you do this depends on how you pass SQL queries to the database.
For example you might wan to read the Perl DBI module documention or
the libpq documention in you are using that from C. Generally there is
a different library for each programming language.

pgsql-novice by date:

Previous
From: TheHiddenDragon
Date:
Subject: digest
Next
From: Bruno Wolff III
Date:
Subject: Re: SQL safe input?