Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Protection from SQL injection
- From: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>
- To: pgsql-sql(at)postgresql(dot)org
- Subject: Re: Protection from SQL injection
- Date: Sun, 27 Apr 2008 11:14:11 +0200
- Message-id: <5f211bd50804270214s852989me86c61caecadb5b(at)mail(dot)gmail(dot)com>
Hi, > providing a mode in which the server would reject PQexec strings containing more than one query. That wouldn't help a lot. The simple SQL injection is not detected: ResultSet rs = stat.executeQuery( "SELECT * FROM USERS WHERE PASSWORD='" + password + "'"); An attacker would only need to use the following password: ' OR 1=1 The the SQL statements is still only one query: SELECT * FROM USERS WHERE PASSWORD='' OR 1=1 Regards, Thomas
- References:
- Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: Thomas Kellerer
- Re: Protection from SQL injection
- From: Scott Marlowe
- Re: Protection from SQL injection
- From: Tom Lane
- Re: Protection from SQL injection
- From: Scott Marlowe
- Re: Protection from SQL injection
- From: Tom Lane
- Protection from SQL injection
- Prev by Date: Re: Protection from SQL injection
- Next by Date: Re: Protection from SQL injection
- Previous by thread: Re: Protection from SQL injection
- Next by thread: Re: Protection from SQL injection
- Indexes: