Home > mailing lists

Secure "where in(a,b,c)" clause. - Mailing list pgsql-general

From	William Temperley
Subject	Secure "where in(a,b,c)" clause.
Date	April 3, 2008 16:50:50
Msg-id	439dc11e0804030950v7c042200wd10e558c4fe3fa43@mail.gmail.com Whole thread Raw
Responses	Re: Secure "where in(a,b,c)" clause. (Steve Atkins <steve@blighty.com>) Re: Secure "where in(a,b,c)" clause. ("Rodrigo E. De León Plicet" <rdeleonp@gmail.com>) Re: Secure "where in(a,b,c)" clause. ("Richard Broersma" <richard.broersma@gmail.com>) Re: Secure "where in(a,b,c)" clause. (Adam Rich <adam.r@sbcglobal.net>) Re: Secure "where in(a,b,c)" clause. (brian <brian@zijn-digital.com>)
List	pgsql-general

Tree view

Hi All

I hope this isn't a FAQ, but does anyone have any suggestions as to
how to make a query that selects using:
 "where in(<comma delimited list>)"
secure from an sql injection point of view?

I have grid of tiles I'm using to reference geographical points.
These tiles are identical to the tiling system google maps uses. My
google maps application works out the tiles it wants to display as a
list of tile names, and sends this list to a php script.

This works very well, however I'm currently directly concatenating a sql query:

select st_collect(the_geom) from tiles where tilename in
    (<comma delimited list>))

Which leaves my application vulnerable to sql injection.

As the length of the comma delimited list is highly variable I don't
think I can use a prepared query to increase security.

Thanks

Will

pgsql-general by date:

From: rihad
Date: 03 April 2008, 16:45:03
Subject: choosing the right locking mode

From: "Scott Marlowe"
Date: 03 April 2008, 16:51:14
Subject: Re: deadlock

Secure "where in(a,b,c)" clause. - Mailing list pgsql-general

Previous

Next