Home > mailing lists

Escaping strings for inclusion into SQL queries - Mailing list pgsql-hackers

From	Florian Weimer
Subject	Escaping strings for inclusion into SQL queries
Date	August 22, 2001 16:08:31
Msg-id	tg7kvwqdlx.fsf@mercury.rus.uni-stuttgart.de Whole thread Raw
Responses	Re: Escaping strings for inclusion into SQL queries Re: Escaping strings for inclusion into SQL queries Re: Escaping strings for inclusion into SQL queries Re: Escaping strings for inclusion into SQL queries Re: Escaping strings for inclusion into SQL queries
List	pgsql-hackers

Tree view

It has come to our attention that many applications which use libpq
are vulnerable to code insertion attacks in strings and identifiers
passed to these applications.  We have collected some evidence which
suggests that this is related to the fact that libpq does not provide
a function to escape strings and identifiers properly.  (Both the
Oracle and MySQL client libraries include such a function, and the
vast majority of applications we examined are not vulnerable to code
insertion attacks because they use this function.)

We therefore suggest that a string escaping function is included in a
future version of PostgreSQL and libpq.  A sample implementation is
provided below, along with documentation.

--
Florian Weimer                       Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Attachment

pgsql-hackers by date:

From: Peter Eisentraut
Date: 22 August 2001, 16:06:44
Subject: Re: Locale by default?

From: Tom Lane
Date: 22 August 2001, 16:17:11
Subject: Re: GiST patches for 7.2 (please apply)

Escaping strings for inclusion into SQL queries - Mailing list pgsql-hackers

Attachment

Previous

Next