Thread: escaping literals (in libpq)

escaping literals (in libpq)

From
Volkan YAZICI
Date:
Hi,

By using PQescapeString() and PQescapeBytea() we can protect SQL
commands from SQL-Injection. I just wonder if it's necessary to
use these escape functions when using PQexecParams() or
PQsendQueryParams(); or these execParam functions don't need
escaping literals?

# End of file


Re: escaping literals (in libpq)

From
Michael Fuhr
Date:
On Sun, Apr 03, 2005 at 03:27:47AM +0300, Volkan YAZICI wrote:
> 
> By using PQescapeString() and PQescapeBytea() we can protect SQL
> commands from SQL-Injection. I just wonder if it's necessary to
> use these escape functions when using PQexecParams() or
> PQsendQueryParams(); or these execParam functions don't need
> escaping literals?

Here's an excerpt from the PQexecParams() documentation:
   The primary advantage of PQexecParams over PQexec is that   parameter values may be separated from the command
string,thus   avoiding the need for tedious and error-prone quoting and   escaping.
 

Run some tests: create queries that do simple (but harmless) SQL
injection, submit them unescaped with PQexec() to verify that the
injection works, then escape them and submit them with PQexec() to
verify that escaping prevents the injection, then submit them
unescaped with PQexecParams() and observe what happens, then escape
them and submit them with PQexecParams() and observe what happens.

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/


Re: escaping literals (in libpq)

From
Volkan YAZICI
Date:
Hi,

On Apr 3, 2005 7:33 PM, Michael Fuhr <mike@fuhr.org> wrote:
> Here's an excerpt from the PQexecParams() documentation:
> 
>     The primary advantage of PQexecParams over PQexec is that
>     parameter values may be separated from the command string, thus
>     avoiding the need for tedious and error-prone quoting and
>     escaping.
> 
> Run some tests: create queries that do simple (but harmless) SQL
> injection, submit them unescaped with PQexec() to verify that the
> injection works, then escape them and submit them with PQexec() to
> verify that escaping prevents the injection, then submit them
> unescaped with PQexecParams() and observe what happens, then escape
> them and submit them with PQexecParams() and observe what happens.

Thanks so much. I engrossed a little bit in my work and forgot the
main point in documentation.

Here's a little piece of code i scratched:
 * template1=# SELECT * FROM mytbl; *  usernm |  passwd  |     secret      * --------+----------+----------------- *
volkan| password | Home address...* (1 row)*/
 

#include <stdio.h>
#include <libpq-fe.h>

#define BUFLEN 1024

int main(void)
{   PGconn      *conn;   PGresult    *res;
   const char  user[] = "volkan";   const char  passwd[] = "fakepasswd' OR '' = '";   const char  *values[2];
   char        command[BUFLEN];
   conn = PQconnectdb("user=postgres dbname=template1");
   snprintf(command, BUFLEN, "SELECT secret FROM mytbl WHERE "            "user = '%s' AND passwd = '%s'", user,
passwd);  res = PQexec(conn, command);   printf("%d\n", PQntuples(res));   PQclear(res);
 
   values[0] = user;   values[1] = passwd;   res = PQexecParams(conn, "SELECT secret FROM mytbl WHERE "
    "user = '$1' AND passwd = '$2'",                      2, NULL, values, NULL, NULL, 0);   printf("%d\n",
PQntuples(res));  PQclear(res);
 
   return 0;
}

/* * $ gcc -Wall -lpq execParams.c &&./a.out * 1* 0*/