Home > mailing lists

Re: possible design bug with PQescapeString() - Mailing list pgsql-hackers

From	Florian Weimer
Subject	Re: possible design bug with PQescapeString()
Date	February 19, 2006 09:08:06
Msg-id	873bifk6f2.fsf@mid.deneb.enyo.de Whole thread Raw
In response to	possible design bug with PQescapeString() (Tatsuo Ishii <ishii@sraoss.co.jp>)
Responses	Re: possible design bug with PQescapeString() Re: possible design bug with PQescapeString()
List	pgsql-hackers

Tree view

* Tatsuo Ishii:

> Users can input value for "var" from a web form. The attacker inputs
> following string:
>
> (0x95+0x27);DELETE FROM members;--
>
> where 0x95+0x27 is actually a SJIS mutibyte KANJI. Programmer applies
> PQescapeString() to it and gets:
>
> 0x95+0x27+0x27;DELETE FROM members;--

Uh-oh, this is my fault.  PQescapeString should escape all characters
greater than 126.  Unfortunately, there is nothing we can do about
this in the current function because tha twould need four times the
lenggth of the input string (plus one).  Drat.

(I don't think you should have to consider the encoding in the client;
strange things may happen if there is an interpretation conflict
between the client and the backend.)

pgsql-hackers by date:

From: "Dave Page"
Date: 19 February 2006, 09:06:47
Subject: Re: Pgfoundry and gborg: shut one down

From: Tatsuo Ishii
Date: 19 February 2006, 09:29:08
Subject: Re: possible design bug with PQescapeString()

Re: possible design bug with PQescapeString() - Mailing list pgsql-hackers

Previous

Next