Re: Sql injection attacks - Mailing list pgsql-general

From Doug McNaught
Subject Re: Sql injection attacks
Date
Msg-id 877jsq7seo.fsf@asmodeus.mcnaught.org
Whole thread Raw
In response to Re: Sql injection attacks  (Geoff Caplan <geoff@variosoft.com>)
Responses Re: Sql injection attacks
List pgsql-general
Geoff Caplan <geoff@variosoft.com> writes:

> Doug,
>
> DM> Geoff Caplan <geoff@variosoft.com> writes:
>
>>> But in web work, you are often using GET/POST data directly in your
>>> SQL clauses, so the untrusted data is part of the query syntax and not
>>> just a value.
>
> DM> Can you give an example of this that isn't also an example of
> DM> obviously bad application design?
>
> I'm no expert to put it mildly, but if you Google for "SQL Injection
> Attack" you'll find a lot of papers by security agencies and
> consultancies. You could start with these:

That doesn't answer my question.  :)

If you're trusting the user (via GET or POST data) to hand you valid
SQL fragments, even just column names, you Deserve To Lose.  The only
things that come in via GET or POST should be data values, and they
should either be explicitly escaped, or used in prepared statements
where the driver takes care of the escaping.

-Doug
--
Let us cross over the river, and rest under the shade of the trees.
   --T. J. Jackson, 1863

pgsql-general by date:

Previous
From: Geoff Caplan
Date:
Subject: Re: Sql injection attacks
Next
From: Lincoln Yeoh
Date:
Subject: Re: Sql injection attacks