Thread: escaping and sql injection
Is there any links for escaping characters and sql injection prevention in postgres? I have read where the ' character is not really the preferred escaping character, but it does seem to be the one I've seen for postgres. Can multiple statements be issued in postgres, like: 'select count(*) from MyTable; drop MyTable;'
On Fri, Feb 21, 2003 at 03:09:01PM -0800, Dennis Gearon wrote:
> Is there any links for escaping characters and sql injection prevention in postgres?
>
> I have read where the ' character is not really the preferred escaping character, but it does seem
> to be the one I've seen for postgres.
>
> Can multiple statements be issued in postgres, like:
>
> 'select count(*) from MyTable; drop MyTable;'
You can solve the SQL injection problem by escaping all single quotes (')
and blackslashes (\) with a backslash.
I'm not sure about the multiple statement thing. It used to work but I'm not
sure if it still does.
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Support bacteria! They're the only culture some people have.
Attachment
On Fri, 2003-02-21 at 19:07, Martijn van Oosterhout wrote:
> You can solve the SQL injection problem by escaping all single quotes (')
> and blackslashes (\) with a backslash.
Rather than doing this by hand, I think it's probably wiser to let your
language interface do it for you. For example, libpq provides a
PQescapeString() function for escaping strings.
That particular function doesn't handle semi-colons, however.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC