Re: Sql injection attacks - Mailing list pgsql-general

From Lincoln Yeoh
Subject Re: Sql injection attacks
Date
Msg-id 5.2.1.1.1.20040729045139.02b49448@localhost
Whole thread Raw
In response to Re: Sql injection attacks  (Harald Fuchs <hf0722x@protecting.net>)
List pgsql-general
At 05:30 PM 7/28/2004 +0200, Harald Fuchs wrote:

>Even if $input contains '%' or '_', those characters get properly escaped.

What versions are you using?

The versions I'm using are a bit old.

DBD::Pg 1.22 (3 versions old)
Postgresql 7.3.4

Schema+data:
create table test3 (a integer, b text);
insert into test3 (a,b) values (1,'a');
insert into test3 (a,b) values (2,'b');
insert into test3 (a,b) values (3,'c');
insert into test3 (a,b) values (4,'d');

code:
#!/usr/bin/perl -wT
use strict;
use DBI();
my ($DBNAME,$DBUSER,$DBPASS)=('DB','user','pass');
my $dbh = DBI->connect('DBI:Pg(AutoCommit =>
0):dbname='.$DBNAME,$DBUSER,$DBPASS
);
   dbdo("update test3 set a=1-? where a=4","error testing",-1);
   $dbh->commit;
   $dbh->disconnect();
   exit 0;
sub dbdo {
my $SQL=shift||'';
#       dolog('DEBUG',$SQL);
my $errmsg=shift||'Unable to run database query!';
my      $sth=$dbh->prepare($SQL) or die($errmsg.'|'.$DBI::errstr);
#       dolog('DEBUG','prepared');
my      $rv='';
         $rv=$sth->execute(@_) or die($errmsg.'|'.$DBI::errstr);
#       dolog('DEBUG','executed');
         return ($sth,$rv);
}





pgsql-general by date:

Previous
From: Geoff Caplan
Date:
Subject: Re: php -postgresql
Next
From: "Glen Parker"
Date:
Subject: Win32 binary