Home > mailing lists

Re: [SECURITY] DoS attack on backend possible - Mailing list pgsql-hackers

From	Curt Sampson
Subject	Re: [SECURITY] DoS attack on backend possible
Date	August 20, 2002 10:29:11
Msg-id	Pine.NEB.4.44.0208202027380.697-100000@angelic.cynic.net Whole thread Raw
In response to	Re: [SECURITY] DoS attack on backend possible (ngpg@grymmjack.com)
List	pgsql-hackers

Tree view

On Mon, 19 Aug 2002 ngpg@grymmjack.com wrote:

> $input = "user'name";
> INSERT INTO db (name) VALUES ('$input');
>
> will fail because the ' in the input needs to be escaped with a
> backslash.

It will fail because you're doing this a very, very, very bad way.
Why rewrite this kind of stuff when the vendor has already made
correct code available?
   PreparedStatement stmt = connection.prepareStatement("INSERT INTO db (name) VALUES (?)");
stmt.setString("user'name");  stmt.execute();

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org   Don't you know, in this new Dark Age, we're
alllight.  --XTC

pgsql-hackers by date:

From: John Gray
Date: 20 August 2002, 10:07:16
Subject: Build failure in current CVS (src/backend/utils/mb/conversion_procs)

From: Vince Vielhaber
Date: 20 August 2002, 10:36:31
Subject: Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in

Re: [SECURITY] DoS attack on backend possible - Mailing list pgsql-hackers

Previous

Next