Home > mailing lists

Re: SQL injection, php and queueing multiple statement - Mailing list pgsql-general

From	paul rivers
Subject	Re: SQL injection, php and queueing multiple statement
Date	April 12, 2008 18:59:25
Msg-id	48010684.80608@gmail.com Whole thread Raw
In response to	Re: SQL injection, php and queueing multiple statement (Ivan Sergio Borgonovo <mail@webthatworks.it>)
Responses	Re: SQL injection, php and queueing multiple statement (Peter Wilson <petew@yellowhawk.co.uk>) Re: SQL injection, php and queueing multiple statement (Gregory Stark <stark@enterprisedb.com>) Re: SQL injection, php and queueing multiple statement (Craig Ringer <craig@postnewspapers.com.au>)
List	pgsql-general

Tree view

Ivan Sergio Borgonovo wrote:
> Yeah... but how can I effectively enforce the policy that ALL input
> will be passed through prepared statements?
>

Code reviews are about the only way to enforce this.

> If I can't, and I doubt there is a system that will let me enforce
> that policy at a reasonable cost, why not providing a safety net that
> will at least raise the bar for the attacker at a very cheap cost?
>

How do you do this? Disallow string concatenation and/or variable
interpolation for any string that's going to be shipped off to the
database? Do you parse the SQL string according to the rules of any
backend database you might be talking to, to see if you have a where
clause not using a prepared statement? i.e. - Nothing is going to work here.

You're stuck with making sure developers know the most rudimentary
things about talking to a database.

pgsql-general by date:

From: "Dawid Kuroczko"
Date: 12 April 2008, 18:52:18
Subject: Re: SQL injection, php and queueing multiple statement

From: Peter Wilson
Date: 12 April 2008, 19:25:15
Subject: Re: Postgres on shared network drive

Re: SQL injection, php and queueing multiple statement - Mailing list pgsql-general

Previous

Next