Home > mailing lists

Re: Secure "where in(a,b,c)" clause. - Mailing list pgsql-general

From	Adam Rich
Subject	Re: Secure "where in(a,b,c)" clause.
Date	April 3, 2008 17:28:00
Msg-id	239101.92496.qm@web81402.mail.mud.yahoo.com Whole thread Raw
In response to	Secure "where in(a,b,c)" clause. ("William Temperley" <willtemperley@gmail.com>)
List	pgsql-general

Tree view

> I hope this isn't a FAQ, but does anyone have any
> suggestions as to
> how to make a query that selects using:
>  "where in(<comma delimited list>)"
> secure from an sql injection point of view?
>
> As the length of the comma delimited list is highly
> variable I don't
> think I can use a prepared query to increase
> security.
>

Prepared query, no.. but you can still use parameter
binding.  Determine how many parameters you need, and
create a query like this:

where in ($1, $2, $3, $4, $5)

and then bind each of those parameters.  This works
well enough for small numbesr of parameters.  Somebody
else will have to answer if there's a better way for
larger quantities.

pgsql-general by date:

From: "Richard Broersma"
Date: 03 April 2008, 17:24:13
Subject: Re: Secure "where in(a,b,c)" clause.

From: rihad
Date: 03 April 2008, 17:32:07
Subject: Re: choosing the right locking mode

Re: Secure "where in(a,b,c)" clause. - Mailing list pgsql-general

Previous

Next