Thread: Protecting a web app from Postgresql injection
Hi all,
I have a web app I would like to protect against postgreSQL
injection. What characters should I be on the lookout for? Any Any
suggestions for enhancing the security of my app are welcome.
Mary Anderson
Mary, Are you using parameter substitution in your queries? That is the best way to protect against these kinds of attacks. What language are you using? We can provide examples of this if you'd like. Cheers, -Josh On Wed, 30 Jan 2008, Mary Anderson wrote: > Date: Wed, 30 Jan 2008 13:48:59 -0800 > From: Mary Anderson <maryfran@demog.berkeley.edu> > To: pgsql-novice@postgresql.org > Subject: [NOVICE] Protecting a web app from Postgresql injection > > Hi all, > I have a web app I would like to protect against postgreSQL injection. > What characters should I be on the lookout for? Any Any suggestions for > enhancing the security of my app are welcome. > > Mary Anderson > > ---------------------------(end of broadcast)--------------------------- > TIP 6: explain analyze is your friend > >
am Wed, dem 30.01.2008, um 13:48:59 -0800 mailte Mary Anderson folgendes: > Hi all, > I have a web app I would like to protect against postgreSQL > injection. What characters should I be on the lookout for? Any Any > suggestions for enhancing the security of my app are welcome. The best way to protect against SQL-Injection are prepared statements, read more about this: http://www.postgresql.org/docs/current/static/sql-prepare.html Andreas -- Andreas Kretschmer Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: -> Header) GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net
On Wed, 30 Jan 2008, Mary Anderson wrote: > Hi all, > I have a web app I would like to protect against postgreSQL injection. > What characters should I be on the lookout for? Any Any suggestions for > enhancing the security of my app are welcome. Not actually helpful but... http://xkcd.com/327/ -- Michael ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Michael John Lush PhD Tel:44-1223 492626 Bioinformatician HUGO Gene Nomenclature Committee Email: hgnc@genenames.org European Bioinformatics Institute Hinxton, Cambridge URL: http://www.genenames.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi,
It my be interesting to read this : http://lwn.net/Articles/185813/
And, IMHO:
In a web app you can take advantage of the posibility of having several layers, the n-layers model, to validate and filter, even change at your need the users input when security of your apps is at risk. In that sense avoiding undesired chars in the db tables start at the web pages in form of jsvascript validation, goes on on the middleware, and can be done last time in functions that inserts content in tables.
Personally I do prefer to use functions ( stored procs ) for inserts and updates of table contents, never use SQL code neither in web pages, neither in middleware objects, always there is a function that insert or modify the tables content. This allows me to have the db structure deep at the bottom layer of the app, and only people dealing with db knows the real structure of the tables, or db.
Hope this simple hints helps.
Andy
It my be interesting to read this : http://lwn.net/Articles/185813/
And, IMHO:
In a web app you can take advantage of the posibility of having several layers, the n-layers model, to validate and filter, even change at your need the users input when security of your apps is at risk. In that sense avoiding undesired chars in the db tables start at the web pages in form of jsvascript validation, goes on on the middleware, and can be done last time in functions that inserts content in tables.
Personally I do prefer to use functions ( stored procs ) for inserts and updates of table contents, never use SQL code neither in web pages, neither in middleware objects, always there is a function that insert or modify the tables content. This allows me to have the db structure deep at the bottom layer of the app, and only people dealing with db knows the real structure of the tables, or db.
Hope this simple hints helps.
Andy