Re: Sql injection attacks - Mailing list pgsql-general

From Pierre-Frédéric Caillaud
Subject Re: Sql injection attacks
Date
Msg-id opsbuhp4gscq72hf@musicbox
Whole thread Raw
In response to Re: Sql injection attacks  (Lincoln Yeoh <lyeoh@pop.jaring.my>)
List pgsql-general
> update tablea set a=10-$inputstring where key=1;

    Add parenthesis:

update tablea set a=10-($inputstring) where key=1;

    Thus you get :
update tablea set a=10-(-1) where key=1;
    instead of :
update tablea set a=10--1 where key=1;

    You'd have a problem because -- is the Comment Delimiter thus
update tablea set a=10--1 where key=1;
    means :
update tablea set a=10;
    which does update all rows.

    I still think inputstring should be cast to int in YOUR code prior to be
sent to SQL, because then you can give a good error message to the user
instead of "SQL request failed".


pgsql-general by date:

Previous
From: Pierre-Frédéric Caillaud
Date:
Subject: Re: altering a table to set serial function
Next
From: jseymour@linxnet.com (Jim Seymour)
Date:
Subject: Re: no value fetch