Postgres Pro
Downloads
Home   >   mailing lists

Re: Secure "where in(a,b,c)" clause. - Mailing list pgsql-general

From Rodrigo E. De León Plicet
Subject Re: Secure "where in(a,b,c)" clause.
Date
Msg-id a55915760804031020n6ebc0e67had8acb70f36b93f2@mail.gmail.com
Whole thread Raw
In response to Secure "where in(a,b,c)" clause.  ("William Temperley" <willtemperley@gmail.com>)
List pgsql-general
Tree view 
On Thu, Apr 3, 2008 at 11:50 AM, William Temperley
<willtemperley@gmail.com> wrote:
>  This works very well, however I'm currently directly concatenating a sql query:
>
>  select st_collect(the_geom) from tiles where tilename in
>     (<comma delimited list>))
>
>  Which leaves my application vulnerable to sql injection.
>
>  As the length of the comma delimited list is highly variable I don't
>  think I can use a prepared query to increase security.

Use a prepared query and ANY, e.g.:

select st_collect(the_geom) from tiles
where tilename = any('{foo,bar,baz}');

pgsql-general by date:

Previous
From: Steve Atkins
Date:
Subject: Re: Secure "where in(a,b,c)" clause.
Next
From: "Richard Broersma"
Date:
Subject: Re: Secure "where in(a,b,c)" clause.