Home > mailing lists

Re: text column constraint, newbie question - Mailing list pgsql-general

From	David Wilson
Subject	Re: text column constraint, newbie question
Date	March 23, 2009 07:52:05
Msg-id	e7f9235d0903230051m38cabfbbk8852cf12f80085e6@mail.gmail.com Whole thread Raw
In response to	Re: text column constraint, newbie question (Scott Marlowe <scott.marlowe@gmail.com>)
List	pgsql-general

Tree view

On Mon, Mar 23, 2009 at 3:07 AM, Scott Marlowe <scott.marlowe@gmail.com> wrote:

> Are you saying pg_quer_params is MORE effective than pg_escape_string
> at deflecting SQL injection attacks?

pg_query_params() will protect non-strings. For instance, read a
number in from user input and do something of the form " and
foo=$my_number". Even if you escape the string, an attacker doesn't
need a ' to close a string, so he can manage injection. If it's " and
foo=$1" using pg_query_params(), however, that's not possible.

--
- David T. Wilson
david.t.wilson@gmail.com

pgsql-general by date:

From: Scott Marlowe
Date: 23 March 2009, 07:07:25
Subject: Re: text column constraint, newbie question

From: Ivan Sergio Borgonovo
Date: 23 March 2009, 08:10:28
Subject: Re: bash & postgres

Re: text column constraint, newbie question - Mailing list pgsql-general

Previous

Next