Re: SQL injection - Mailing list pgsql-general

From MaXX
Subject Re: SQL injection
Date
Msg-id dk5scc$tjp$1@talisker.lacave.net
Whole thread Raw
In response to SQL injection  (Yonatan Ben-Nes <da@canaan.co.il>)
Responses Re: SQL injection  (Alex Turner <armtuk@gmail.com>)
List pgsql-general
Hi,

Yonatan Ben-Nes wrote:
> Hi all,
>
> I'm currently trying to build a defence against SQL INJECTION, after
> reading some material on it I arrived to few possible solutions and I
> would like to know if anyone can comment anything about them or maybe
> add a solution of its own:
[...]

If you're running PHP on an Apache server check mod_security, you'll have to
tune a little bit it's default ruleset, but it does a great job for me. It
will not protect you against tricks like 'chr(39)' (single quote) or
funnier 'cH%52(123-84)' unless you write specific rules. It inspect both
GET an POST payloads, performs unescaping and lots of other cool things
(protection agains shell command injection)...
Be warned, it has some side effects, as it will kick you off if you try to
publish SQL code on your site even if your code isn't malicious or
sentences that may look like sql (delete from something)...

As suggested, parameters validation is required, regexps are great for this
job and are easy to learn (do it you'll see). Do the validation in your PHP
before sending the query to your server (do not rely only on checking
inside stored procedures as the injection can take place before the actual
checking)

HTH,
--
MaXX

pgsql-general by date:

Previous
From: Joe Maldonado
Date:
Subject: vacuuming strangeness
Next
From: "Wes Williams"
Date:
Subject: Re: Oracle 10g Express - any danger for Postgres?