Skip site navigation (1)
Skip section navigation (2)
On Wed, Apr 30, 2008 at 10:58 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
Well, if the the query was:
WITH CONSTANT c_jobrole = <value from a FORM text field>, CONSTANT c_dept = 10
SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;
And if the attack supplied a value 'clerk OR 1=1' the final query (after replacing constants) would look like this:
SELECT * FROM emp WHERE jobrole = 'clerk OR 1=1' and deptno = 10;
The attacker was not able to inject any new code there.
(reiterates: and let postgres allow literals only in the WITH clause)
I am not sure I understood this example.
Best regards,
--
gurjeet[(dot)singh](at)EnterpriseDB(dot)com
singh(dot)gurjeet(at){ gmail | hotmail | indiatimes | yahoo }.com
EnterpriseDB http://www.enterprisedb.com
Mail sent from my BlackLaptop device
Peripheral Links
Header And Logo
|
Site Navigation
Re: Protection from SQL injection
- From: "Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com>
- To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
- Cc: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
- Subject: Re: Protection from SQL injection
- Date: Wed, 30 Apr 2008 23:07:55 +0530
- Message-id: <65937bea0804301037q4febd3a3pf680db64387893e2(at)mail(dot)gmail(dot)com>
On Wed, Apr 30, 2008 at 10:58 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
"Gurjeet Singh" <singh(dot)gurjeet(at)gmail(dot)com> writes:[ scratches head... ] And that will provide SQL injection protection how?
> Maybe we can extend the SQL's WITH clause do declare the constant along with
> the query, and not separate from the query.
> WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10
> SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;
Well, if the the query was:
WITH CONSTANT c_jobrole = <value from a FORM text field>, CONSTANT c_dept = 10
SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;
And if the attack supplied a value 'clerk OR 1=1' the final query (after replacing constants) would look like this:
SELECT * FROM emp WHERE jobrole = 'clerk OR 1=1' and deptno = 10;
The attacker was not able to inject any new code there.
(reiterates: and let postgres allow literals only in the WITH clause)
Anyway, you hardly need new syntax to do that, I'd expect
WITH SELECT 'clerk' AS c_jobrole ...
to accomplish it just fine.
I am not sure I understood this example.
Best regards,
gurjeet[(dot)singh](at)EnterpriseDB(dot)com
singh(dot)gurjeet(at){ gmail | hotmail | indiatimes | yahoo }.com
EnterpriseDB http://www.enterprisedb.com
Mail sent from my BlackLaptop device
- Follow-Ups:
- Re: Protection from SQL injection
- From: Aidan Van Dyk
- Re: Protection from SQL injection
- References:
- Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: Brendan Jurd
- Re: Protection from SQL injection
- From: PFC
- Re: Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: Tino Wildenhain
- Re: Protection from SQL injection
- From: Andrew Dunstan
- Re: Protection from SQL injection
- From: Tino Wildenhain
- Re: Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: Gurjeet Singh
- Re: Protection from SQL injection
- From: Tom Lane
- Protection from SQL injection
- Prev by Date: Re: Protection from SQL injection
- Next by Date: Re: Protection from SQL injection
- Previous by thread: Re: Protection from SQL injection
- Next by thread: Re: Protection from SQL injection
- Indexes: