Re: SQL injection - Mailing list pgsql-general
| From | Alex Turner |
|---|---|
| Subject | Re: SQL injection |
| Date | |
| Msg-id | 33c6269f0510311913q23cbd485i8d3dedfcce3ff0a1@mail.gmail.com Whole thread Raw |
| In response to | Re: SQL injection ("Jim C. Nasby" <jnasby@pervasive.com>) |
| Responses |
Re: SQL injection
("Jim C. Nasby" <jnasby@pervasive.com>)
|
| List | pgsql-general |
I didn't think query plans were cached between sessions, in which case prepeared statements aren't worth much for most HTTP based systems (not counting luckily re-using the same connection using pgpool)... Please correct me if I'm mistaken - I like being wrong ;) Alex On 10/31/05, Jim C. Nasby <jnasby@pervasive.com> wrote: > Does PHP support prepared queries with bound parameters for PostgreSQL? > Not only is that foolproof (unless you're calling a function that uses > an argument to build a query string...), you'll get a performance boost > as well since PostgreSQL won't have to reparse and plan every query. > > On Mon, Oct 31, 2005 at 07:54:58PM +0200, Yonatan Ben-Nes wrote: > > Hi all, > > > > I'm currently trying to build a defence against SQL INJECTION, after > > reading some material on it I arrived to few possible solutions and I > > would like to know if anyone can comment anything about them or maybe > > add a solution of its own: > > > > 1. PachyRand: SQL Randomization for the PostgreSQL JDBC Driver - seems > > to be the best solution (easiest and most protective) though I didnt > > understood entirely if the solution is available for production > > enviorments or not, information can be attained at: > > http://nsl.cs.columbia.edu/projects/pachyrand/ & > > http://mice.cs.columbia.edu/getTechreport.php?techreportID=355&format=pdf& > > > > 2. Running for each data which will be used at the db checks with > > regular expressions to find out if its valid, this method is quite > > complicated to me (dont know regular expressions too much) and it > > demands diffrent checks to each data field (with quite big problems at > > open text data), at the end im afraid that holes will exist.. > > > > 3. Running PHP functions like settype($data, 'integer') to be sure that > > the data which arrive is at the correct format and to the text run > > pg_escape_string($data), I suspect that this method wont block even > > close to 100% of the attacks, just like the former option. > > > > Another factor is the overhead to the system, I think that the previous > > methods don't create much overhead but if anyone have another idea of > > course it will also need to be efficent. > > > > Any new ideas or comments will be received gladly. > > > > Thanks in advance! > > Yonatan Ben-Nes > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 5: don't forget to increase your free space map settings > > > > -- > Jim C. Nasby, Sr. Engineering Consultant jnasby@pervasive.com > Pervasive Software http://pervasive.com work: 512-231-6117 > vcard: http://jim.nasby.net/pervasive.vcf cell: 512-569-9461 > > ---------------------------(end of broadcast)--------------------------- > TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq >
pgsql-general by date: