Home > mailing lists

Re: Sql injection attacks - Mailing list pgsql-general

From	Pierre-Frédéric Caillaud
Subject	Re: Sql injection attacks
Date	July 28, 2004 11:19:19
Msg-id	opsbuhp4gscq72hf@musicbox Whole thread Raw
In response to	Re: Sql injection attacks (Lincoln Yeoh <lyeoh@pop.jaring.my>)
List	pgsql-general

Tree view

> update tablea set a=10-$inputstring where key=1;

    Add parenthesis:

update tablea set a=10-($inputstring) where key=1;

    Thus you get :
update tablea set a=10-(-1) where key=1;
    instead of :
update tablea set a=10--1 where key=1;

    You'd have a problem because -- is the Comment Delimiter thus
update tablea set a=10--1 where key=1;
    means :
update tablea set a=10;
    which does update all rows.

    I still think inputstring should be cast to int in YOUR code prior to be
sent to SQL, because then you can give a good error message to the user
instead of "SQL request failed".

pgsql-general by date:

From: Pierre-Frédéric Caillaud
Date: 28 July 2004, 11:12:41
Subject: Re: altering a table to set serial function

From: jseymour@linxnet.com (Jim Seymour)
Date: 28 July 2004, 11:24:09
Subject: Re: no value fetch

Re: Sql injection attacks - Mailing list pgsql-general

Previous

Next