William Temperley wrote:
> Hi All
>
> I hope this isn't a FAQ, but does anyone have any suggestions as to
> how to make a query that selects using:
> "where in(<comma delimited list>)"
> secure from an sql injection point of view?
>
> I have grid of tiles I'm using to reference geographical points.
> These tiles are identical to the tiling system google maps uses. My
> google maps application works out the tiles it wants to display as a
> list of tile names, and sends this list to a php script.
>
> This works very well, however I'm currently directly concatenating a sql query:
>
> select st_collect(the_geom) from tiles where tilename in
> (<comma delimited list>))
>
> Which leaves my application vulnerable to sql injection.
>
> As the length of the comma delimited list is highly variable I don't
> think I can use a prepared query to increase security.
>
Aside from using a prepared statement, your application code can simply
ensure that each named tile follows whatever naming conventions you have
in place. A very basic regex should do.
b