Re: Prepared Statements

On Thu, 2003-07-17 at 16:47, Dmitry Tkach wrote:
[snip]
> >
> > This is a security hole known as SQL injection.
>
> No, it isn't :-)
> The "hole" you are referring to is letting the users type in entire
> queries, not just input parameters.
> As long as you have control over how your sql is constructed, you not
> any less (nor any more) safe with plain Statements than you would be
> with PreparedStatements. The do the same exact thing.

In my understanding the prepared statement will properly escape any
parameter so it can be trusted that the resulting query will not contain
something you wouldn't expect. Example (< and > are delimiters, ignore
them):

query: <SELECT * from address_book WHERE name = ?>

input: <joe';delete from address_book where 'true>

result if you just replace the <?> with <'$input'>:
SELECT * from address_book WHERE name = 'joe';delete from address_book
where 'true'
-> results in 2 statements executed

result if you use prepared statement:
SELECT * from address_book WHERE name = 'joe\';delete from address_book
where \'true'

As you can see, the "clever" injection attack is still rejected through
escaping the <'> characters. You can't possibly cause SQL injection
while using prepared statements.

Cheers,
Csaba.

>
> Dima
>
> > If you are using a normal Statement then your users can probably
> > delete whole tables from the database but with a PreparedStatement you
> > would write
> >
> > String query = "SELECT * from address_book WHERE name = ?"
> >
> > and the command actually passed over to the database would be
> >
> > SELECT * from address_book WHERE name = 'joe;delete from address_book'
> >
> > I'm sure you can see the difference. Maybe PreparedStatements will
> > have a performance gain in some future release but at the moment they
> > have a vital role to play in database security.
> >
>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
>