| From: | Harald Fuchs <hf0923x(at)protecting(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: a stored procedure ..with integer as the parameter |
| Date: | 2005-10-25 12:51:48 |
| Message-ID: | 877jc1u5cr.fsf@srv.protecting.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
In article <33c6269f0510241421p2802061dhe79b3d99495b8087(at)mail(dot)gmail(dot)com>,
Alex Turner <armtuk(at)gmail(dot)com> writes:
> delete * from user; > select * from table where my_id=$in_value > Am
> I just smoking crack here, or does this approach have some merit?
> The former :-) The correct defense against SQL injection is proper
> escaping, not quoting. How about $in_value = '1''; delete from
> user'?
> This would be escaped by magic_quotes resulting in:
> select * from table where my_id='\'1\'\'; delete from user \'', which would
> result in an error, and a failed attack would it not, which would be a good
> thing?
If your "magic_quotes" are magic enough to not blindly surrounding the
argument in quotes, but also escape dangerous chars like "'" inside
the argument, then you're safe.
> I tried to create this scenario, but in a trasactional environment, it
> executes, but blew the transation so the data never committed as the select
> query generated an error with the insert on the end...
... and that's exactly what it should do. You just need to catch the error
and generate a meaningful error message.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zoltán Dudás | 2005-10-25 13:36:44 | Re: STL problem in stored procedures |
| Previous Message | Matthew T. O'Connor | 2005-10-25 12:40:23 | Re: [ANNOUNCE] PostgreSQL 8.1 Beta 4 |