Re: Secure "where in(a,b,c)" clause. - Mailing list pgsql-general

From brian
Subject Re: Secure "where in(a,b,c)" clause.
Date
Msg-id 47F51593.1080205@zijn-digital.com
Whole thread Raw
In response to Secure "where in(a,b,c)" clause.  ("William Temperley" <willtemperley@gmail.com>)
List pgsql-general
William Temperley wrote:
> Hi All
>
> I hope this isn't a FAQ, but does anyone have any suggestions as to
> how to make a query that selects using:
>  "where in(<comma delimited list>)"
> secure from an sql injection point of view?
>
> I have grid of tiles I'm using to reference geographical points.
> These tiles are identical to the tiling system google maps uses. My
> google maps application works out the tiles it wants to display as a
> list of tile names, and sends this list to a php script.
>
> This works very well, however I'm currently directly concatenating a sql query:
>
> select st_collect(the_geom) from tiles where tilename in
>     (<comma delimited list>))
>
> Which leaves my application vulnerable to sql injection.
>
> As the length of the comma delimited list is highly variable I don't
> think I can use a prepared query to increase security.
>

Aside from using a prepared statement, your application code can simply
ensure that each named tile follows whatever naming conventions you have
in place. A very basic regex should do.

b

pgsql-general by date:

Previous
From: "Scott Marlowe"
Date:
Subject: Re: choosing the right locking mode
Next
From: Craig Ringer
Date:
Subject: Re: choosing the right locking mode