Yeah, would Python protect you from that ? I am using Groovy on Grails and not sure how these things work here. Most of the time I use GORM to do my queries, but now I am stuck with SQL because of fulltext search with Postgres. Perhaps there is some similiar things in Groovy to run, I will check into that.
/ Moe
On Thu, Jan 8, 2009 at 5:20 PM, Christopher Swingley <cswingle@gmail.com> wrote:
> > Hi, I am wondering whether or not there exists any built in > > function for making sure a query/textinput is not harmful or one > > that escapes them. If not, what kind of things should I watch out > > for ? >
> Maybe I'm missing the point, but have read about quote_ident() and > quote_literal() at chapter 9.4 "String Functions and Operators"?
quote_literal() does seem like a good choice for getting the quoting correct. As far as protecting yourself from SQL injection attacks, you may want to look at the options available in the programming language you are using to get user input. In Python, for example, you can run queries as follows:
Python fills the '%X' fields with the parameters after verifying they are safe. Probably best to test how much protection this offers.
I believe the risk isn't so much a question of quoting or special characters, but carefully crafted input variables. For example, what if the second parameter was:
"'bar', True); DELETE FROM foo; INSERT INTO foo VALUES (1, 'bar',"
