Postgres Pro
Downloads
Home   >   mailing lists

Escaping metacharacters - Mailing list pgsql-hackers

From DarkSamurai
Subject Escaping metacharacters
Date
Msg-id Y9DJc.619$ZD81.585@news04.bloor.is.net.cable.rogers.com
Whole thread Raw
Responses Re: Escaping metacharacters  (Oliver Elphick <olly@lfix.co.uk>)
Re: Escaping metacharacters  (Greg Stark <gsstark@mit.edu>)
List pgsql-hackers
Tree view 
Hi,

To prevent SQL injections, I try to neutralize SQL metacharacters.

ex:

Code:


> function SQLString($s) {
>     $s = str_replace("'", "\\s", $s)'
>     $s = str_replace("\\", "\\\\", $s);
>     return "'" . $s . "'";



And suppose I use this :

> $cat = $GET["category"];
> $query = " SELECT Id, Title, Abstract FROM News " . "Where Category=" . $cat;




If a malicious user tries to input
1' UNION SELECT 1, Usr, Pass FROM Usr

it would just pass as plain text like 1 \' UNION SELECT 1, Usr, Pass 
FROM Usr

[edit]
And if he tried 1\' UNION (...) it would pass 1\\\' UNION (...) to the 
database server.
[/edit]

Is that safe from SQL injection?

pgsql-hackers by date:

Previous
From: Christopher Browne
Date:
Subject: Re: Release planning
Next
From: "Marc G. Fournier"
Date:
Subject: Re: Toward better documentation