| From: | Florian Weimer <fw(at)deneb(dot)enyo(dot)de> |
|---|---|
| To: | Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: possible design bug with PQescapeString() |
| Date: | 2006-02-19 10:08:01 |
| Message-ID: | 873bifk6f2.fsf@mid.deneb.enyo.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Tatsuo Ishii:
> Users can input value for "var" from a web form. The attacker inputs
> following string:
>
> (0x95+0x27);DELETE FROM members;--
>
> where 0x95+0x27 is actually a SJIS mutibyte KANJI. Programmer applies
> PQescapeString() to it and gets:
>
> 0x95+0x27+0x27;DELETE FROM members;--
Uh-oh, this is my fault. PQescapeString should escape all characters
greater than 126. Unfortunately, there is nothing we can do about
this in the current function because tha twould need four times the
lenggth of the input string (plus one). Drat.
(I don't think you should have to consider the encoding in the client;
strange things may happen if there is an interpretation conflict
between the client and the backend.)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tatsuo Ishii | 2006-02-19 10:25:04 | Re: possible design bug with PQescapeString() |
| Previous Message | Dave Page | 2006-02-19 10:02:53 | Re: Pgfoundry and gborg: shut one down |