cjs@cynic.net (Curt Sampson) wrote in
> On Mon, 19 Aug 2002 ngpg@grymmjack.com wrote:
>
>> $input = "user'name";
>> INSERT INTO db (name) VALUES ('$input');
>>
>> will fail because the ' in the input needs to be escaped with a
>> backslash.
>
> It will fail because you're doing this a very, very, very bad way.
> Why rewrite this kind of stuff when the vendor has already made
> correct code available?
>
> PreparedStatement stmt = connection.prepareStatement(
> "INSERT INTO db (name) VALUES (?)");
> stmt.setString("user'name");
> stmt.execute();
>
> cjs
Curt:
I am not doing it this way, I am trying to point out that doing it without
"doing something" (whether it be using preparedstatement or WHATEVER), is,
as you say, very very very bad (I am agreeing with you). I am further
saying that whatever it is you do, you should also be doing some other
simple validation, like the length of the inputs, because most inputs wont
be over 255 chars before being prepared. This is just an example, but you
should do whatever validation would apply to you (and this is probably true
coding for any user input whether it involves a db or not). I am just
saying this is good practice in my opinion and had these people that
brought up the issue in the first place were doing it, then pgsql's
shortcomings would not have been as severe a problem. Things I am not
saying are: its ok for pgsql to have this DoS problem; its the frontends
responsibility to maintain data integrity not the backend.
